remcos | 58b6cc9bef7c86291ce7c27353e925b340504b0c112c312a7c7c7ff885bc1c1a | Triage

Sharing

General

Target

58b6cc9bef7c86291ce7c27353e925b340504b0c112c312a7c7c7ff885bc1c1a
Size

892KB
Sample

240913-lcsp7awcmm
MD5

074d8339051c32548fed2402298152ae
SHA1

4af2b9f3e47a71a0d481682ffa36074f56a41dad
SHA256

58b6cc9bef7c86291ce7c27353e925b340504b0c112c312a7c7c7ff885bc1c1a
SHA512

7215f017a8e3c5c4b70c1a881e3bcb527d9c915bda098805caf9c30acd070933ca388862a4e530f04ebcc030f303d06a011c30e2bf3ffd45ac7c12fda2969350
SSDEEP

12288:l8Ot/lTP9yvU0h3rRayn2vZK+SOW2hI3Z3zOFZkDzl/IUN95XO1RKtigtVpVDwtb:l8sJP9yF3rwG2vMO3IjyZKdPigrD8

Score

10^/10

remcos mekus discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

mekus

C2

dpm-sael.com:2017

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
meckus-ODY51K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  7c88bd71a3530b4731d6e6233d0927d8f7b01c4e97cf796fa2d53b554f1d6ed9.exe
- Size
  
  924KB
- MD5
  
  8fd5f061761645838e92744a0722f87d
- SHA1
  
  565a31f86b886a26cc8c10ce3780a256e4157f55
- SHA256
  
  7c88bd71a3530b4731d6e6233d0927d8f7b01c4e97cf796fa2d53b554f1d6ed9
- SHA512
  
  8d67b4408e987f2cf6fcd938058b2179bb36a703990c52b7a1cfc6058a4b568d7785a321782a0c2107091a1622e3f57e04a6109f851471e7f7064bda7b007122
- SSDEEP
  
  24576:K9o/NseOLSe+/1k38m8IyfhFTG7KQTCaAhkqG72:K2JarEZytpMGq
Score

10^/10

remcos mekus discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosmekusdiscoveryexecutionrat

behavioral2

remcosmekusdiscoveryexecutionrat