remcos | 19b92161154b6d9fca60de3f5aec7e64b4b7e1a3281d60784e2403e756f46c26 | Triage

Sharing

General

Target

HSBC E-Statement Doc_pdf.exe
Size

961KB
Sample

240910-d5xkvavell
MD5

9dc670ac35717a6ba33cbc766bad8f16
SHA1

3c7c31d2660bb124c7435b19e728d2dc11370fc3
SHA256

19b92161154b6d9fca60de3f5aec7e64b4b7e1a3281d60784e2403e756f46c26
SHA512

c93f384c8813ad7a20397ce782fdf8e1eb6ba3d48ef1b20c9f833730239a9b2e4fc280a6480e9a757fc4d2368ad101401aeb20d7dbef07d9cb3323a9950d391a
SSDEEP

12288:iA1FLVsXKKIRpbSX344271jwiedZdTtyuZT6dmIUrWf1TkG6FkZlukJWP5ek9:iGFLKapbSnuehTtzZjA1TkGKeukE5

Score

10^/10

remcos udu discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

udu

C2

UDUM.WORK.GD:2431

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sos
mouse_option
false
mutex
udm-2WYU92
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  HSBC E-Statement Doc_pdf.exe
- Size
  
  961KB
- MD5
  
  9dc670ac35717a6ba33cbc766bad8f16
- SHA1
  
  3c7c31d2660bb124c7435b19e728d2dc11370fc3
- SHA256
  
  19b92161154b6d9fca60de3f5aec7e64b4b7e1a3281d60784e2403e756f46c26
- SHA512
  
  c93f384c8813ad7a20397ce782fdf8e1eb6ba3d48ef1b20c9f833730239a9b2e4fc280a6480e9a757fc4d2368ad101401aeb20d7dbef07d9cb3323a9950d391a
- SSDEEP
  
  12288:iA1FLVsXKKIRpbSX344271jwiedZdTtyuZT6dmIUrWf1TkG6FkZlukJWP5ek9:iGFLKapbSnuehTtzZjA1TkGKeukE5
Score

10^/10

remcos udu discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosududiscoveryexecutionrat

behavioral2

remcosududiscoveryexecutionrat