remcos | 0c74cb57c375c6bc50b869c5d502f2922c593cc77ac119181ec680d32d67c49e | Triage

Sharing

General

Target

0c74cb57c375c6bc50b869c5d502f2922c593cc77ac119181ec680d32d67c49e
Size

1.0MB
Sample

240903-wdyb6stdkf
MD5

d8452fead0ca6746b8d5254065e25639
SHA1

db0b5bb20ef851adba8dc1644407e37a6cb5e2ff
SHA256

0c74cb57c375c6bc50b869c5d502f2922c593cc77ac119181ec680d32d67c49e
SHA512

2f3bee9611b7994bb59b1c08fec434511cef05d57344411e3ae77a3549b998d1cb2d0504df1cde57f356963ce64cab6cf681d023b4f59cc060b51384f6d3848f
SSDEEP

24576:G5pyjpMSvCP3u93N4RsI6pcBmqjoRhowomBrQO:ay+SKW93yRsfc/sTowotO

Score

10^/10

remcos aquafina discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

AQUAFINA

C2

december2n.duckdns.org:6241

december2nd.ddns.net:6241

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5TYRFW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0c74cb57c375c6bc50b869c5d502f2922c593cc77ac119181ec680d32d67c49e
- Size
  
  1.0MB
- MD5
  
  d8452fead0ca6746b8d5254065e25639
- SHA1
  
  db0b5bb20ef851adba8dc1644407e37a6cb5e2ff
- SHA256
  
  0c74cb57c375c6bc50b869c5d502f2922c593cc77ac119181ec680d32d67c49e
- SHA512
  
  2f3bee9611b7994bb59b1c08fec434511cef05d57344411e3ae77a3549b998d1cb2d0504df1cde57f356963ce64cab6cf681d023b4f59cc060b51384f6d3848f
- SSDEEP
  
  24576:G5pyjpMSvCP3u93N4RsI6pcBmqjoRhowomBrQO:ay+SKW93yRsfc/sTowotO
Score

3^/10
behavioral1 behavioral2
- Target
  
  doc_0300304032000.JPG.exe
- Size
  
  1.2MB
- MD5
  
  e7e4cf0e79b15f20dd87a8b11eeabbc8
- SHA1
  
  36612c549b356f26a2e314f9c3a0a643ab1d36eb
- SHA256
  
  a6ba56520ba01fe4dd295f81ddbec6d90df6e80ea4a50fd79895a82a0b14b3e9
- SHA512
  
  2802049bf02fe966e564524b31f16392e83629c39075bf696dd3862f88447fcd158e1f468b32fd4e1bca6f0df0e15d7708398b7be45c3c03172379db6f264bb3
- SSDEEP
  
  24576:j6nVMk+HIj90cstXScO/GBeB0rY9+Q3c7NcJRazowocd5xShmhAJ3/:eVz7tspSv/lOA+Q3c7SL/Qx8Zd
Score

10^/10

remcos aquafina discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

remcosaquafinadiscoverypersistencerat

behavioral4

remcosaquafinadiscoverypersistencerat