remcos | 50b628bc603d846c04ab5dc56a5bc40b32b219c29211661f663ec7bb160a0554 | Triage

Sharing

General

Target

50b628bc603d846c04ab5dc56a5bc40b32b219c29211661f663ec7bb160a0554.zip
Size

788KB
Sample

240907-bm39kaxfla
MD5

2fa0a5d8f4d1baa65f45d6fe0a9fe8ef
SHA1

0d3311d2ecaa093f3c563e77782817f620380d41
SHA256

50b628bc603d846c04ab5dc56a5bc40b32b219c29211661f663ec7bb160a0554
SHA512

305a36daa017fb562123463e344ec1799443e6344035f7abff6497e49e420661cb00a297ac161dfeed3082cd76aeb2b3a6020e0152e1fb5f62e29432c064c2e1
SSDEEP

384:1yv5SELCty051E0Rnvyv5CEVmayb5UQ0E4IgG5:9EIEuEvQ0EAG5

Score

10^/10

remcos stalagg discovery rat

Malware Config

Extracted

Family

remcos

Botnet

stalagg

C2

5.181.156.117:8576

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5TL39W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  brt_1_0147.doc.lnk
- Size
  
  47KB
- MD5
  
  7f054fb90b37b4c6fa4ede910ee7425d
- SHA1
  
  f48454623fdb37da7797b43720e372926d6eca9d
- SHA256
  
  68fe63cdae0b90cd1df1d400879135d3c18522c98cf4a9473156b477a71529ce
- SHA512
  
  8f82f94ccba2034bec30a811de4cb04789dbbdfbe5a19479e65f6d58f5ab3e93717ecffb18a73a052b00b840bcd8beaa2f8c70bbd95a4e93c58bcea96bb32efb
- SSDEEP
  
  48:88muavUQSe9EGQwdfxvUZ7CFKxCI5BevUZ7vXRddCZZGXu/dZZIa7x:88y8MzdfxSxCIGuXRuqQ
Score

10^/10

remcos stalagg discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  oshad_88.docx.lnk
- Size
  
  15KB
- MD5
  
  64a52682aa182ab4a0e2cebaeaad3f17
- SHA1
  
  372c0fdf264c4204b490e11717e51d4ffd97b694
- SHA256
  
  9549f73133514942aadfcf6f3f38f5d89e573ba7d9b18cde44f29f0a172d7c32
- SHA512
  
  21dab4c078f34e63677eed29a80f240e0d9687e91a4868f6fa812ede45aec7133242c3c5fa9a324b1ca9040407a4c584ffc820c4617efd712314821a6bc2e5b4
- SSDEEP
  
  48:88muavUQSIuvZujofxvUZ7HEVxCTI2evUZ7vUqbbudCZZGXu/dZZIa7x:88y81vZiofxHVxCTIRVqeuqQ
Score

10^/10

remcos stalagg discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  rv_luti_2024_roku.xlsx.lnk
- Size
  
  32KB
- MD5
  
  bbcc000caf3fff5b3025da99cff2aa45
- SHA1
  
  89a89db57a5b286b16d8d0a82903a4f256584bb5
- SHA256
  
  3e5adec34d0e3567b3eed2c917eaac783ff3eb19c2a1154339ebd1b2497f1e24
- SHA512
  
  1eecf2183c2909e642904dc023256b8f1437a25d59c541afa53b6eff4c9f727ef1fcdc3a7507f94e5d75ba490263c5a0fa2be95a1cfc4734a07a874d4bba56e1
- SSDEEP
  
  48:88muavUQSSE1I3fxvUZ7sEmOxCCevUZ731EdCZFXuGdZTa7x:88y8EE1YfxHERxCVybuKQ
Score

10^/10

remcos stalagg discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  telegrama_ksv_po_btgr.jpg.lnk
- Size
  
  691KB
- MD5
  
  5f468e83efbad5365270360d3a30d452
- SHA1
  
  b2297eea71a8c2530f6d03fd0dd76085fae48a18
- SHA256
  
  18ffe969595851eed2e247ff3e872a488415820e05371531a388276eeccaa250
- SHA512
  
  38c661f24fa57f1b3f508ebcedc96cc5534514e28d63a8aadac01d47a89ff8762118b31329a05b7b23920b231308ab92c76bd9cb12d8a62f95fcc9c60126001d
- SSDEEP
  
  48:8xmuavUQSpCQEV5fxvUZ7tQ0xC4xevUZ7z9O+UJa7x:8xy87CffxUQ0xC4IK0+UJQ
Score

10^/10

remcos stalagg discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosstalaggdiscoveryrat

behavioral3

behavioral4

remcosstalaggdiscoveryrat

behavioral5

behavioral6

remcosstalaggdiscoveryrat

behavioral7

behavioral8

remcosstalaggdiscoveryrat