remcos | 92af5439d1fc0172fcd8068957d132fb89256ab1d93457120e7b4f1a1910e757 | Triage

Sharing

General

Target

92af5439d1fc0172fcd8068957d132fb89256ab1d93457120e7b4f1a1910e757.zip
Size

2.9MB
Sample

240907-bw866syaml
MD5

36fa13a66ddc3817943694b919523e54
SHA1

8643089b8d11ea880fb90e8daa48edd8e54e7a4c
SHA256

92af5439d1fc0172fcd8068957d132fb89256ab1d93457120e7b4f1a1910e757
SHA512

69bcedf91e460445c8aad66a79fa8f60639cc9b7f6e1c230c69d83049de9b16511e3b613616fa3e22d6ab22ba439bcc802c66460fbe00950aa0096526645ed70
SSDEEP

49152:ZNira6ZlWR5QEezY1n+hlEJHogdmNcajLTdn96P2up7mnEhyha/hl0:yrnK5Qx5huJIgdmcajLy6EQF

Score

10^/10

remcos stalagg discovery rat

Malware Config

Extracted

Family

remcos

Botnet

stalagg

C2

5.181.156.117:8576

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5TL39W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  d3dx9_43.dll
- Size
  
  1.9MB
- MD5
  
  46e435aecb557fcb16ae2ea3b22ab7fd
- SHA1
  
  5290156599fd9575c4401c80949ad5672fe64da5
- SHA256
  
  70e0b720bb461503acbd947a8355fb629d703b8d7f99ddfbb09a0c71886861da
- SHA512
  
  621010aa44868062361c6dbb670f8664c370ddcb0afbb5835765470522c03bb5ac779e86236cfffdcf343cbc582f81beacd2a7108d78c90d4dfc4c38e7d23bb3
- SSDEEP
  
  24576:EUtU6OIyl2Wy9M3bJ45fPS0zFZghQ6aOiFaKOE31GrvFXl74YZ29X1MDd6olmrBb:E566l2u45BiNYFrz31Cv3D29kd6k9
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  scr_previw.exe
- Size
  
  2.2MB
- MD5
  
  d9530ecee42acccfd3871672a511bc9e
- SHA1
  
  89b4d2406f1294bd699ef231a4def5f495f12778
- SHA256
  
  81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
- SHA512
  
  d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980
- SSDEEP
  
  49152:rHOut2Bf0ajIM8XEEN6N0rE/I/vqn7krQEQusd5F:VbaMbXbE/I/SnwrQEQusd/
Score

10^/10

remcos stalagg discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

remcosstalaggdiscoveryrat

behavioral4

remcosstalaggdiscoveryrat