remcos | 212ecd5d051954ee43b7da3c5e998dffac460d74ac9ca99607e399015d3067c4 | Triage

Sharing

General

Target

212ecd5d051954ee43b7da3c5e998dffac460d74ac9ca99607e399015d3067c4.exe
Size

1.0MB
Sample

240904-rad2xasgkg
MD5

c7dd9b2410b46369b1a20b31d3f3e887
SHA1

52eb658337922174094607d0a5d1993ff2f9b04c
SHA256

212ecd5d051954ee43b7da3c5e998dffac460d74ac9ca99607e399015d3067c4
SHA512

1b89a6a0fdb4acfc68dbd88e0285bc1160a34c2186ba54ea8abc8546113500a77ac6dab0cf876b8da9ac1bb919f0c38642652d2da3d9c690e0260b8d080b80fe
SSDEEP

24576:I8aALcnYNa9JNwPwz6gIpBRvh6JK0W8Ut1KXxo:p+YIP6Yz6gIvRYJK0st1Ux

Score

10^/10

remcos ghost001 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

Ghost001

C2

ghost360.zapto.org:4190

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZVGYRU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  212ecd5d051954ee43b7da3c5e998dffac460d74ac9ca99607e399015d3067c4.exe
- Size
  
  1.0MB
- MD5
  
  c7dd9b2410b46369b1a20b31d3f3e887
- SHA1
  
  52eb658337922174094607d0a5d1993ff2f9b04c
- SHA256
  
  212ecd5d051954ee43b7da3c5e998dffac460d74ac9ca99607e399015d3067c4
- SHA512
  
  1b89a6a0fdb4acfc68dbd88e0285bc1160a34c2186ba54ea8abc8546113500a77ac6dab0cf876b8da9ac1bb919f0c38642652d2da3d9c690e0260b8d080b80fe
- SSDEEP
  
  24576:I8aALcnYNa9JNwPwz6gIpBRvh6JK0W8Ut1KXxo:p+YIP6Yz6gIvRYJK0st1Ux
Score

10^/10

remcos ghost001 discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosghost001discoveryexecutionrat

behavioral2

remcosghost001discoveryexecutionrat