remcos | dc465334ab894d0f9247004d29eea52a933cb565c3bb5b538c10e9923f0f5489 | Triage

Submit
Reports

Overview

overview

Static

static

1

lnk.lnk

windows10-2004-x64

Sharing

General

Target

lnk.lnk
Size

26KB
Sample

240910-x4ztcs1apr
MD5

6dddbea89b9df67a2a3e66e5937f78ff
SHA1

ba62ad24df8a06626919cbf8ada946bd49d2d92e
SHA256

dc465334ab894d0f9247004d29eea52a933cb565c3bb5b538c10e9923f0f5489
SHA512

46345a8e638d22ccc019f3005efc0742ecfb24bbac47f47bbfccb02868b7aa5ef3a8f8483cc0646ab50914fa596c2263bfa5305b01c63a675f0d52657ea2d904
SSDEEP

48:88muavUQSAlHqaBxkn/NQxCHXZTOxkn/vhf/dCZZGXu/dZZIa7x:88y8alHqaBGQxCpSy3uqQ

Score

10^/10

remcos rudolfhess discovery rat

Static task

static1

Behavioral task

behavioral1

Sample

lnk.lnk

Resource

win10v2004-20240802-uk

remcos rudolfhess discovery rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

rudolfhess

C2

154.216.17.56:20790

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3TEAZT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  lnk.lnk
- Size
  
  26KB
- MD5
  
  6dddbea89b9df67a2a3e66e5937f78ff
- SHA1
  
  ba62ad24df8a06626919cbf8ada946bd49d2d92e
- SHA256
  
  dc465334ab894d0f9247004d29eea52a933cb565c3bb5b538c10e9923f0f5489
- SHA512
  
  46345a8e638d22ccc019f3005efc0742ecfb24bbac47f47bbfccb02868b7aa5ef3a8f8483cc0646ab50914fa596c2263bfa5305b01c63a675f0d52657ea2d904
- SSDEEP
  
  48:88muavUQSAlHqaBxkn/NQxCHXZTOxkn/vhf/dCZZGXu/dZZIa7x:88y8alHqaBGQxCpSy3uqQ
Score

10^/10

remcos rudolfhess discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosrudolfhessdiscoveryrat

© 2018-2025

Terms | Privacy