remcos | 5cac3d994fcc5eefdaef9ffd6b9fae41dd49f1a699e88746e17fb51a49f73bd2 | Triage

Sharing

General

Target

d00447a4ef5a375f9b98fb966025b3f2_JaffaCakes118
Size

236KB
Sample

240906-vg4spayapd
MD5

d00447a4ef5a375f9b98fb966025b3f2
SHA1

4255d9b7a135c14362eb7a52b40abf02a2f1997b
SHA256

5cac3d994fcc5eefdaef9ffd6b9fae41dd49f1a699e88746e17fb51a49f73bd2
SHA512

9044f4d2474df628472d09d856bed76cc3b53807a623242f6878e287bb048f4402979aa71ddbbdb46ee204969de9e97587adb761d72726babe8cbafd69e65e10
SSDEEP

3072:6ge632NoBADcJqNQJebIV7OWGbBp8rF6201M/nd8aM:6i32PDcAm7V7OWGIZ6Snd8p

Score

10^/10

remcos windowsdefender discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

WindowsDefender

C2

top.fishingjoco.waw.pl:9334

top.fishingjoco.waw.pl:8152

top.fishingjoco.waw.pl:8153

sub.jofishingco.waw.pl:8153

sub.jofishingco.waw.pl:9334

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
defender.exe
copy_folder
Windows Defender
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
defender
keylog_path
%AppData%
mouse_option
false
mutex
WindowsDefender-OFO9TZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Windows Defender
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  d00447a4ef5a375f9b98fb966025b3f2_JaffaCakes118
- Size
  
  236KB
- MD5
  
  d00447a4ef5a375f9b98fb966025b3f2
- SHA1
  
  4255d9b7a135c14362eb7a52b40abf02a2f1997b
- SHA256
  
  5cac3d994fcc5eefdaef9ffd6b9fae41dd49f1a699e88746e17fb51a49f73bd2
- SHA512
  
  9044f4d2474df628472d09d856bed76cc3b53807a623242f6878e287bb048f4402979aa71ddbbdb46ee204969de9e97587adb761d72726babe8cbafd69e65e10
- SSDEEP
  
  3072:6ge632NoBADcJqNQJebIV7OWGbBp8rF6201M/nd8aM:6i32PDcAm7V7OWGIZ6Snd8p
Score

10^/10

remcos windowsdefender discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoswindowsdefenderdiscoverypersistencerat

behavioral2

remcoswindowsdefenderdiscoverypersistencerat