remcos | 573d878dfb560fdb1e4593104f49040584f5418a15165a6b7c31584193ff549a | Triage

Sharing

General

Target

573d878dfb560fdb1e4593104f49040584f5418a15165a6b7c31584193ff549a
Size

936KB
Sample

240905-q9d1hsscmm
MD5

0ac774c75fff2a6680bd7e90cd347a00
SHA1

bdf42b7318c9471073b66e2e7116fe9766037663
SHA256

573d878dfb560fdb1e4593104f49040584f5418a15165a6b7c31584193ff549a
SHA512

9a5b34a288cbe1bcb18acbeb690fca39b47b32d9a74ba89f43fcfe76aec51b77b654e7d7cd4730023e8e51c77eca488cefa748559a15da6b4f1c8fdee0dc0026
SSDEEP

24576:y1IzymEZlXmXfOVmK6G80ZdJAQaye0pMoekw9GMyUUrb:LzTEZlYRUZd8y9ppekw9GpUYb

Score

10^/10

remcos udu discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

udu

C2

UDUM.WORK.GD:2431

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sos
mouse_option
false
mutex
udm-2WYU92
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  HSBC Payment Advice_pdf.exe
- Size
  
  993KB
- MD5
  
  d0da590b7edbc0da19fb22989e74094a
- SHA1
  
  96ebe02b6e7499acdf741aa1a770511345532cf3
- SHA256
  
  fd9c0fb6f463cee4975445c4ff19301daeed95a081f0428c5ef7aad815dd7277
- SHA512
  
  6f7547230d5e005b6a9f04db0cb0c64c501dacf6f4836b1061f6dc2135ab8a06f06a1c5d7f90bd87491b534e4bfc20068d498b55bf896d63058ec8035df03a9b
- SSDEEP
  
  24576:SUobyDHF8HpzkLmV4ZDeLnmx/E/oLZT2nGr4oI6:DZKJILmVmeKx8gZlI
Score

10^/10

remcos udu discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosududiscoveryexecutionrat

behavioral2

remcosududiscoveryexecutionrat