remcos | dbd90ffa51b2ec9e716642d651d5740f2a9e376db28b217dbc31ab89b5362409 | Triage

Resubmissions

05-09-2024 06:49

240905-hlqemsvdkm 10

05-09-2024 06:43

240905-hg74wswbrh 10

Sharing

General

Target

049ccb277f6c9e2816347b2d51df7ba0N.exe
Size

4.3MB
Sample

240905-hg74wswbrh
MD5

049ccb277f6c9e2816347b2d51df7ba0
SHA1

b78da518b845bacca6ecd4595f751a8e6c41c4d6
SHA256

dbd90ffa51b2ec9e716642d651d5740f2a9e376db28b217dbc31ab89b5362409
SHA512

4250cf0ca6815f97265eb7924095c84a8fe41e463bcf172802e72ba5c045f999f23411a994a21d73cab270fe22287e44b33d5314f5b120ab5fad79c53e8a4559
SSDEEP

98304:gC11IMjItWMFAetMtXjxhmZrC11IMjItWMFAetMtXjxhmZY4T:ghSMFjO7mZrhSMFjO7mZY

Score

10^/10

remcos mistery-pc discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MISTERY-PC

C2

nzobaku.ddns.net:8081

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-59N2NZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  049ccb277f6c9e2816347b2d51df7ba0N.exe
- Size
  
  4.3MB
- MD5
  
  049ccb277f6c9e2816347b2d51df7ba0
- SHA1
  
  b78da518b845bacca6ecd4595f751a8e6c41c4d6
- SHA256
  
  dbd90ffa51b2ec9e716642d651d5740f2a9e376db28b217dbc31ab89b5362409
- SHA512
  
  4250cf0ca6815f97265eb7924095c84a8fe41e463bcf172802e72ba5c045f999f23411a994a21d73cab270fe22287e44b33d5314f5b120ab5fad79c53e8a4559
- SSDEEP
  
  98304:gC11IMjItWMFAetMtXjxhmZrC11IMjItWMFAetMtXjxhmZY4T:ghSMFjO7mZrhSMFjO7mZY
Score

10^/10

remcos mistery-pc discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosmistery-pcdiscoveryexecutionpersistencerat

behavioral2

remcosdiscoveryexecutionpersistencerat