remcos | c3bd1eaa3e042bd0948cfdec06cae89031e5437f14ecc65e4a449a44e7c296ed | Triage

Sharing

General

Target

4b487f91d2504883b4c9df18848af5ef.bin
Size

891KB
Sample

240831-bqa27axdma
MD5

779559ac3b1cbd82a2b01991f87a8f08
SHA1

3da3da722808a6fd4929b1ed73482e8075e77c62
SHA256

c3bd1eaa3e042bd0948cfdec06cae89031e5437f14ecc65e4a449a44e7c296ed
SHA512

0a369ec43b58745027435478b76ef9c2d867d0eb668034e525100e26ec2a92c2ce0c347b2e2d35fe4061aca30a9557fa2bf318aee49e7907ea05c77be964f319
SSDEEP

24576:vnJmajG4w+3U/fokFcsFKzo3PaqQM0NIUk75IYX:PgP0U/Ln+o3PF+E5IYX

Score

10^/10

remcos h�texte discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

H�texte

C2

rodri.selfip.net:50019

racindjah.blogdns.com:50066

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
journaux.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B6J50C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Captures décran
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
- Size
  
  970KB
- MD5
  
  4b487f91d2504883b4c9df18848af5ef
- SHA1
  
  964e913b8b4cba2232e46b3fe0b73b1c009bed7d
- SHA256
  
  f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607
- SHA512
  
  2f38dfa36bff6235dcddb359af65e3374f556e40fd950c6e5e9b52a474d46227d833fd9897efc925b781f6b97b093b29dc9d119edc88d76a23d3407a1471e23b
- SSDEEP
  
  24576:BYx8QzPlMGKwlyvxR27CYOlOLkgggD8lyftUCp2mv:6x8QzZYvxR2WbRggp0XT
Score

10^/10

remcos h�texte discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosh�textediscoveryexecutionpersistencerat

behavioral2

remcosh�textediscoveryexecutionpersistencerat