remcos | c7f550c5813c050c7c815b7cc7be6f777264e439af4d3f109f82ea99b57f0e50 | Triage

Sharing

General

Target

d44faf6c4af61a9749d07a957082330d_JaffaCakes118
Size

360KB
Sample

240908-n6jqgsvdkl
MD5

d44faf6c4af61a9749d07a957082330d
SHA1

f663fad47b382afb920158b3f2ee3f4cb46c86f9
SHA256

c7f550c5813c050c7c815b7cc7be6f777264e439af4d3f109f82ea99b57f0e50
SHA512

b816331268762b6bd65c2bfd5bbcca06ecceaa8ef83db3ac4098c1dcc9677f1c9f2df6bf31a558012875f808429e3f6094bc80f57532c3920f2ac552b08c6776
SSDEEP

6144:6NHEEzadVbvOq9kDNqSk6Am60jM8E5YPxdjgbmzC5Sh2+7eZknEx:66Ez0bj9k5jk6A3kMEPxdkrwh57eZknG

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

3.0.1 Pro

Botnet

RemoteHost

C2

capriteam.ddns.net:1010

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-VHHYND
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
- Size
  
  396KB
- MD5
  
  a955ac034ab71cc35107fd81d4d0904a
- SHA1
  
  7e00fa5b9e8718d6ae19856ecc1be4cbf487a164
- SHA256
  
  ba52101e664d1ab4110977264bb16ff13c5bf4bdb004ddcacba915006d275b81
- SHA512
  
  48804a5469f810aa8f936e5ee5e466263a8da35d42c058fb7a77928b22135ea2e3b3bf41ad075a8449d3c13c4dcaa84aa6ce5e463c33ccc40e40c21cd90e847d
- SSDEEP
  
  12288:F3P+z2F99SVFC6UJiMCXxdS3uh57eNgZP:F342FUVMCXjlhVeNg5
Score

10^/10

remcos remotehost discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoverypersistencerat

behavioral2

remcosremotehostdiscoverypersistencerat