remcos | 90176b56ed8521a1257ed014c5d406b2b9fad6409750f8110265e338530d37a2 | Triage

Sharing

General

Target

90176b56ed8521a1257ed014c5d406b2b9fad6409750f8110265e338530d37a2.exe
Size

387KB
Sample

240910-m4jf9s1akm
MD5

42dcb6c7008cac068514bff4a01821a6
SHA1

68bfde44e74a38bcdeb509eff45ef784f63d9535
SHA256

90176b56ed8521a1257ed014c5d406b2b9fad6409750f8110265e338530d37a2
SHA512

ebcd748728b360038b44324205db11e662a92bf2ae36cd06bf24e8bae975b719db8f0590c1f82cca69efb61d48bd445d68ca809f9198b5fb67ef155d07748f39
SSDEEP

6144:oPpKCCll7ACLsjEPIsxt/w3vz09SUTHfJKmkrsbqiHZDuyF:c87AUgeI4w3LkntKxrqNF

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

kezdns.pro:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FRQ47T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  90176b56ed8521a1257ed014c5d406b2b9fad6409750f8110265e338530d37a2.exe
- Size
  
  387KB
- MD5
  
  42dcb6c7008cac068514bff4a01821a6
- SHA1
  
  68bfde44e74a38bcdeb509eff45ef784f63d9535
- SHA256
  
  90176b56ed8521a1257ed014c5d406b2b9fad6409750f8110265e338530d37a2
- SHA512
  
  ebcd748728b360038b44324205db11e662a92bf2ae36cd06bf24e8bae975b719db8f0590c1f82cca69efb61d48bd445d68ca809f9198b5fb67ef155d07748f39
- SSDEEP
  
  6144:oPpKCCll7ACLsjEPIsxt/w3vz09SUTHfJKmkrsbqiHZDuyF:c87AUgeI4w3LkntKxrqNF
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  6ad39193ed20078aa1b23c33a1e48859
- SHA1
  
  95e70e4f47aa1689cc08afbdaef3ec323b5342fa
- SHA256
  
  b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2
- SHA512
  
  78c89bb8c86f3b68e5314467eca4e8e922d143335081fa66b01d756303e1aec68ed01f4be7098dbe06a789ca32a0f31102f5ba408bc5ab28e61251611bb4f62b
- SSDEEP
  
  96:qIsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9Fug:ZVL7ikJb76BQUoUm+RnyXVYO2RvHFug
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  052a077ee8b519aadbcf29e6b5e710a4
- SHA1
  
  b3ab29d0ebdbdca63e4dffd2fd2e6b9188ffae4b
- SHA256
  
  9a1a5c6f598247bfa52624cd793b9ef4fb85863cc9dfd69eb7ef671cacc906c9
- SHA512
  
  cb11cba331b85122dcc2d57171ce20382af0a9fdf0a85a30155404d975901a313c9285eb9445e51979c6ec8416ccdf97fdeaf1bd2203c9395ad046a385a90009
- SSDEEP
  
  96:Q7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgNF38:aygp3FcHi0xhYMR8dMqJVgN
Score

3^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryrat

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6