remcos

Sharing

Copy URL

Twitter E-mail

General

Target

15793586c3009951f5629e509728de4bb42a5bab16ff5ee69c50f60264f90d01
Size

1.2MB
Sample

240909-kvz2jszfnm
MD5

79266b0fdc530b2c8699d1cb57542992
SHA1

e51855d5f400fed20006819ce01652f730c1165a
SHA256

15793586c3009951f5629e509728de4bb42a5bab16ff5ee69c50f60264f90d01
SHA512

d1690525ce4b6c5481c6dadc54adfc15fd8d14f14ed614a2d4dcefcf4d97a11f86e04c6a4da9235e56c9a87376f9d7235552664b0beb221bafe7c69db4bb9007
SSDEEP

24576:HcLwSH2RLuYiqg2xVVLBHef1kd+kw6QcjlCcIRaL2dK:sh+ut0fVLku9w6ZscKK

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

vshield.publicvm.com:5151

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
chrome.exe
copy_folder
Google Chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Google Chrome
keylog_path
%AppData%
mouse_option
true
mutex
remcos_ykhychcufk
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
chrome
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
paypal;amazon;nulled.to;cracked.to;ebay;blockchain;coinbase

Targets

- Target
  
  Godaddy Checker Cracked/Godaddy Checker.exe
- Size
  
  237KB
- MD5
  
  e98be45445b8d748c2b1b21b6ac03199
- SHA1
  
  45607a6a5a9da9558b8062dc922091227e4bdc22
- SHA256
  
  faa7b3f064a999888aa49bc2d47aa73b64206fc94e24b6695a7ef17e13c9bfaa
- SHA512
  
  55ca1c3e67fcdbe54522ace0aa349bd4011df13bc493575695722fcab83ad67eb7b024812b10d3ec11877ddcb19b5d544c08ce9f018b1201194243e0128f744f
- SSDEEP
  
  3072:q4lbikV6jW+tKFh36Lv+GSBADfBZRBadxlv:q6bjMrETGmALon
Score

10^/10

remcos host discovery evasion execution persistence rat
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
behavioral1 behavioral2
- Target
  
  Godaddy Checker Cracked/Godaddy.com Checker Cracked.exe
- Size
  
  29KB
- MD5
  
  f454d815ea95f9e1cbfc6d32a60cd8bd
- SHA1
  
  3bf427f841eb8fee3794bb990b65080aee25b925
- SHA256
  
  1d4a470ca7b680cda60d67e89e2c04c8832a231b661656cc140972bae9b3048e
- SHA512
  
  8c1b8bece0271de87748cf5c717ffefc72e1fd468782c2de88263fa36530af6f293072c184b8a5b33bba861f48a70a16b45acb4fd34e79500732d0d78501345f
- SSDEEP
  
  768:l71OZdFxT+oWDxk7vv4Icmdddeq35el1OjxeqSK:l71cbxT+/xkrrhReq352EeqSK
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Godaddy Checker Cracked/MetroFramework.Design.dll
- Size
  
  16KB
- MD5
  
  c853e9e8c720249198ff376f42328ef9
- SHA1
  
  a56ee195148023571e26ffeaa5a736bc73a76c40
- SHA256
  
  28089707733c92c7fade97e7b6fab4007e7b8bfd6dc7a8526a3ea597f1a30845
- SHA512
  
  d21cf5cfe0a5e2f7d4c128e64e0decee28028297c804319fb957b1f0e60d62e3103976b95abc3d2bd5ba66801cb5fe9bef4bae067273079177be28c73132c739
- SSDEEP
  
  384:k1q4fJwcRJTxK0JLBamLGqPkO9V1VFf5L7W1OYKjbq9w:6q4hwcRBJLBamSqPkO9V1ViGq9
Score

1^/10
behavioral5 behavioral6
- Target
  
  Godaddy Checker Cracked/MetroFramework.Fonts.dll
- Size
  
  656KB
- MD5
  
  b8c8a532438c4b421081efb258355469
- SHA1
  
  41aa88d5eaf398da55f712f30226b70492125be1
- SHA256
  
  15a605129cac3663ba1ddb98f5798334fba5e7954ee36a69727299b4e366c2eb
- SHA512
  
  511070c8cfe018e60e11d495393152e10aa2aa0c08cde84678ef3a0efd63ae5c562a47bfab883f4babd469b1873127bacc9c986cb2bc096985176f1dbf93b1fc
- SSDEEP
  
  12288:5+/9JcJlYqCNktA+SXfGpq2fHowSqCNktA+SXfvJR9FrIJJaqCNktA+SXfUC:5+/3qlrCNoh+UqgIwhCNoh+JR9FrIJJw
Score

1^/10
behavioral7 behavioral8
- Target
  
  Godaddy Checker Cracked/MetroFramework.dll
- Size
  
  313KB
- MD5
  
  b20f1b5e3d4e3df2d826e9870637cd06
- SHA1
  
  a03bb47afdf9498be409ed5b56e945f6e143fb32
- SHA256
  
  9e58f13deb328455f216f165588b5f5111ecd12042d7dd196686dfb0f0fc68eb
- SHA512
  
  095c5956ebc114c4b380d2b43981bcabd221782530328a51cb2c6aec05a016dad2e5efae36810f6840611f77f589be1e1e7f2200738df3bca222381837033b2d
- SSDEEP
  
  6144:Ys+J/PxfbpAQ1bZHE7Zhm6uOw0g749O2:qJ/PxzpAObhV6uO99O
Score

1^/10
behavioral10 behavioral9
- Target
  
  Godaddy Checker Cracked/data/Godaddy.com Checker Cracked.exe
- Size
  
  29KB
- MD5
  
  f454d815ea95f9e1cbfc6d32a60cd8bd
- SHA1
  
  3bf427f841eb8fee3794bb990b65080aee25b925
- SHA256
  
  1d4a470ca7b680cda60d67e89e2c04c8832a231b661656cc140972bae9b3048e
- SHA512
  
  8c1b8bece0271de87748cf5c717ffefc72e1fd468782c2de88263fa36530af6f293072c184b8a5b33bba861f48a70a16b45acb4fd34e79500732d0d78501345f
- SSDEEP
  
  768:l71OZdFxT+oWDxk7vv4Icmdddeq35el1OjxeqSK:l71cbxT+/xkrrhReq352EeqSK
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Godaddy Checker Cracked/data/Ionic.Zip.dll
- Size
  
  480KB
- MD5
  
  f6933bf7cee0fd6c80cdf207ff15a523
- SHA1
  
  039eeb1169e1defe387c7d4ca4021bce9d11786d
- SHA256
  
  17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
- SHA512
  
  88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
- SSDEEP
  
  6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score

1^/10
behavioral13 behavioral14
- Target
  
  Godaddy Checker Cracked/data/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  Godaddy Checker Cracked/data/MetroFramework.Design.dll
- Size
  
  16KB
- MD5
  
  c853e9e8c720249198ff376f42328ef9
- SHA1
  
  a56ee195148023571e26ffeaa5a736bc73a76c40
- SHA256
  
  28089707733c92c7fade97e7b6fab4007e7b8bfd6dc7a8526a3ea597f1a30845
- SHA512
  
  d21cf5cfe0a5e2f7d4c128e64e0decee28028297c804319fb957b1f0e60d62e3103976b95abc3d2bd5ba66801cb5fe9bef4bae067273079177be28c73132c739
- SSDEEP
  
  384:k1q4fJwcRJTxK0JLBamLGqPkO9V1VFf5L7W1OYKjbq9w:6q4hwcRBJLBamSqPkO9V1ViGq9
Score

1^/10
behavioral17 behavioral18
- Target
  
  Godaddy Checker Cracked/data/MetroFramework.Fonts.dll
- Size
  
  656KB
- MD5
  
  b8c8a532438c4b421081efb258355469
- SHA1
  
  41aa88d5eaf398da55f712f30226b70492125be1
- SHA256
  
  15a605129cac3663ba1ddb98f5798334fba5e7954ee36a69727299b4e366c2eb
- SHA512
  
  511070c8cfe018e60e11d495393152e10aa2aa0c08cde84678ef3a0efd63ae5c562a47bfab883f4babd469b1873127bacc9c986cb2bc096985176f1dbf93b1fc
- SSDEEP
  
  12288:5+/9JcJlYqCNktA+SXfGpq2fHowSqCNktA+SXfvJR9FrIJJaqCNktA+SXfUC:5+/3qlrCNoh+UqgIwhCNoh+JR9FrIJJw
Score

1^/10
behavioral19 behavioral20
- Target
  
  Godaddy Checker Cracked/data/MetroFramework.dll
- Size
  
  313KB
- MD5
  
  b20f1b5e3d4e3df2d826e9870637cd06
- SHA1
  
  a03bb47afdf9498be409ed5b56e945f6e143fb32
- SHA256
  
  9e58f13deb328455f216f165588b5f5111ecd12042d7dd196686dfb0f0fc68eb
- SHA512
  
  095c5956ebc114c4b380d2b43981bcabd221782530328a51cb2c6aec05a016dad2e5efae36810f6840611f77f589be1e1e7f2200738df3bca222381837033b2d
- SSDEEP
  
  6144:Ys+J/PxfbpAQ1bZHE7Zhm6uOw0g749O2:qJ/PxzpAObhV6uO99O
Score

1^/10
behavioral21 behavioral22
- Target
  
  Godaddy Checker Cracked/data/log.exe
- Size
  
  92KB
- MD5
  
  4daae6c7d8deeb9c398da69c722d5dfa
- SHA1
  
  fe3c3cdbc61ec00584f7d6ebdf0cae27e013c6b0
- SHA256
  
  690e5292cdbff69ed08e971ebb61261a4f0a9e2483aacb93b675f5ac3826ac06
- SHA512
  
  00ef31e6161741e427bda90457e9c6e192886637087278eac6b59872e3327a919b3a197ab40f9d367ca1651d10130ec9a267c772abf4d1e0b9c3e111b818148a
- SSDEEP
  
  1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6ArO:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+a
Score

10^/10

remcos host discovery evasion persistence rat
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
behavioral23 behavioral24
- Target
  
  Godaddy Checker Cracked/data/xNet.dll
- Size
  
  110KB
- MD5
  
  ac1dceddbc66a1ab7915ac9931f0cfec
- SHA1
  
  22ce2ec96192a520a2a76a0fa272656c77f1041a
- SHA256
  
  cc949931ef9533adced83f3d58862e9732e5db7ad17b5fd4cb9d209a99edb592
- SHA512
  
  3906b3b7f8874bfd79f94e945d857dbc83ec89ed73ac13d49790c7fc4eed5c7e98c99c32ffc4a05795da9981c3163978c7f84a54298e94420e365c395392b3f9
- SSDEEP
  
  3072:PqCUxh+3H0MznY3wihz0YmcTqnV+xnEdU:PqCUxhfMUTqnV+xnEd
Score

1^/10
behavioral25 behavioral26
- Target
  
  Godaddy Checker Cracked/xNet.dll
- Size
  
  110KB
- MD5
  
  ac1dceddbc66a1ab7915ac9931f0cfec
- SHA1
  
  22ce2ec96192a520a2a76a0fa272656c77f1041a
- SHA256
  
  cc949931ef9533adced83f3d58862e9732e5db7ad17b5fd4cb9d209a99edb592
- SHA512
  
  3906b3b7f8874bfd79f94e945d857dbc83ec89ed73ac13d49790c7fc4eed5c7e98c99c32ffc4a05795da9981c3163978c7f84a54298e94420e365c395392b3f9
- SSDEEP
  
  3072:PqCUxh+3H0MznY3wihz0YmcTqnV+xnEdU:PqCUxhfMUTqnV+xnEd
Score

1^/10
behavioral27 behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Modifies WinLogon for persistence

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Adds policy Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Modifies WinLogon

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Modifies WinLogon for persistence

Remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Adds policy Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Modifies WinLogon

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28