remcos | 2ea638f1d8fa4feb6d800c3d4747fe663e5748a1d7d90bd14682d5d2625c56ca | Triage

Sharing

General

Target

20fe62c4757929b72a94d02b52e6e660N
Size

2.2MB
Sample

240914-1n8m4sydlh
MD5

20fe62c4757929b72a94d02b52e6e660
SHA1

2fd7cc66cb46ad7044ec54a723445818e2c05c79
SHA256

2ea638f1d8fa4feb6d800c3d4747fe663e5748a1d7d90bd14682d5d2625c56ca
SHA512

fda4920c40ca0090195419747e65a25496559eac446f5914071f125c62e487d8b28416ac094d29f4912ff1be91e8ce705a963f4a6305cad9eddee9756fede38e
SSDEEP

49152:6VgFDPYe1IlSiuncDbRKfoAsPFKFp/be0ThvT0boMJsV5ygLGlueqePjS:6VgFDAynYbVAsPF6NpT0sMu2gCzu

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

4.9.3 Light

Botnet

RemoteHost

C2

127.0.0.1:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52SPIJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  20fe62c4757929b72a94d02b52e6e660N
- Size
  
  2.2MB
- MD5
  
  20fe62c4757929b72a94d02b52e6e660
- SHA1
  
  2fd7cc66cb46ad7044ec54a723445818e2c05c79
- SHA256
  
  2ea638f1d8fa4feb6d800c3d4747fe663e5748a1d7d90bd14682d5d2625c56ca
- SHA512
  
  fda4920c40ca0090195419747e65a25496559eac446f5914071f125c62e487d8b28416ac094d29f4912ff1be91e8ce705a963f4a6305cad9eddee9756fede38e
- SSDEEP
  
  49152:6VgFDPYe1IlSiuncDbRKfoAsPFKFp/be0ThvT0boMJsV5ygLGlueqePjS:6VgFDAynYbVAsPF6NpT0sMu2gCzu
Score

10^/10

remcos remotehost discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoverypersistencerat

behavioral2

remcosremotehostdiscoverypersistencerat