remcos | da07ea710e848805416f93369b7b6e90d0c1b66cbb80ead60c7d46d6d8efd3be | Triage

Sharing

General

Target

e5ae1be12de3d88715727fe8b6d157e7_JaffaCakes118
Size

760KB
Sample

240916-2ekelatapd
MD5

e5ae1be12de3d88715727fe8b6d157e7
SHA1

e9579d766ec5d1d17215ed4fc660f9ff84ec3f78
SHA256

da07ea710e848805416f93369b7b6e90d0c1b66cbb80ead60c7d46d6d8efd3be
SHA512

27cc3da2ff583405df1487adc9ca972739321ac6df19ad6dd262cc1d3fcbed316fbe765f7fa5c8439e2829cbe7c05b0ae711814555dd9095d7363d923fd41094
SSDEEP

12288:MQfIJ8oZLgsh87kHKpFXXGFPAax7Kyw8yDjT8873fYdrT9L6DVUR9e16emXxWPw/:MW8dZLgOSkHOGelBDft3fYdrT9umo1/g

Score

10^/10

remcos decimo discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

DECIMO

C2

decimoremcdns.duckdns.org:1011

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-EXFS95
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe
- Size
  
  778KB
- MD5
  
  6ec62d2feca20ea0d9c8730aa3f660e3
- SHA1
  
  5386d98ec0d08febf713058df774e9e6044c9080
- SHA256
  
  e6b58687faf8165eb9f34872e6dd9df1a97e527a1c9765b698be615e72f368e0
- SHA512
  
  6017f06cc445a45cf7f57e131e682fb2f5c56c35bbb1884e3759a44cadb559ea6ca51851808fb2012e3de1f28bdfbb52a35301706468f67ef0f85494fe474aeb
- SSDEEP
  
  24576:LwuySQX1XbJzkbtccJ7tQB/9ksYwSQvf8os+q:L5QdbJzFAtKksnSQv+7
Score

10^/10

remcos decimo discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  $APPDATA/app_browser/25.opends60.dll
- Size
  
  44B
- MD5
  
  09537416318f379396bddbc18046de39
- SHA1
  
  dc6111549ff49afa587425603cc0c545b034b988
- SHA256
  
  b407fe7ddcc7303ef167873a6498e8ebd771e9b4b432ad0a458a029574ca6afd
- SHA512
  
  20b9ab08d3e940d687404436e2d6c8b4c1a9121987382c6253d7d93fc2b556fb8780742af08d8b73e4d50ea9b23d2e62298669650df60ed38e6f23c5c0155619
Score

1^/10
behavioral3 behavioral4
- Target
  
  $APPDATA/app_browser/40.opends60.dll
- Size
  
  46B
- MD5
  
  a800e1be610c1fc4412a4557e5654f6d
- SHA1
  
  0d5760e3107c174d735e52c9c239e27164df6657
- SHA256
  
  c78b52098ab7a63f97cf55a134bceef6cb56412d5e6a6230cf0d666ba1f07cc6
- SHA512
  
  3bb1e3b36126396a19f5ba935deda62c3b2695bf3801eb7fd8d54e4bfee604aaa97fc348e94bac970e2c8d5b70cc132a05cedfd447b8558cc494a2557734c9d0
Score

1^/10
behavioral5 behavioral6
- Target
  
  $APPDATA/app_browser/MicrosoftVisualStudioWebUI.dll
- Size
  
  2KB
- MD5
  
  b1feacfce6eb230192b82d04fd82ad9a
- SHA1
  
  930208d7d7a806ed3466150fc34709fb6223896a
- SHA256
  
  dfce0c806a64327f03df9b4d55accb008f79ec255e6987d3f12f9791638a4935
- SHA512
  
  9e5802c501cc3137fb13b3c2e63d1b33f2d82a8524616972ee1d6a45bad49049363f762fe0444fcd462b4a972d4e94851b4c149b9d697ec727b731971f21309c
Score

1^/10
behavioral7 behavioral8
- Target
  
  $APPDATA/app_browser/VsWebSiteInterop.dll
- Size
  
  48KB
- MD5
  
  4fb0672d5842ddb98898784461480e8b
- SHA1
  
  6a927dd928c29ab1404b4d3c27a204880e0d12e6
- SHA256
  
  b7a43778327d9052a0c55e33694c400d3ca7fa5bd40d6b0102918c120d2d5463
- SHA512
  
  54a1bd835eaf7785348531b84d5225997f6c4d475357d328d29001c2e4ecb584a7dc0bf0c55399e8e70cbe342dffc18d632d146398bd6231e612761c18f95e4c
- SSDEEP
  
  768:MOZO5OU5ngPG1lkA2p60B57KFe27CB4bZt9lytWHPnEUHw73oCADNSxtFA:MOZO5OU5ngPG1lkA2gP02+B4bZt1vEEv
Score

1^/10
behavioral10 behavioral9
- Target
  
  $APPDATA/app_browser/aspnetregbrowsers.exe
- Size
  
  13KB
- MD5
  
  a394c927a7ad7befdf7136144232a13a
- SHA1
  
  cc95d2160686c7d95cfb5334fb83eac5fd176cb4
- SHA256
  
  59146d16e5a1b9c2e47eb1447e6ae2fa403c4182107e893a7cf33c81e8023a54
- SHA512
  
  4938539bab4e257a57c9b336fae979ce91cf1f30dbfcaae2c164bb44c85a130c7a85ffe19f6007b1c75e6a77e5abb4948e1ca8c2a9817cf8fdafe2ae0bfbf3fc
- SSDEEP
  
  192:jowEhZpVUjCZKb338cV/pqlFOxWFlhm4QSXoOx0x6EpWeNHJW/:jowEhdUjtNwEgFrSSXHirpWKHJW
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $APPDATA/app_browser/mscortim.dll
- Size
  
  10KB
- MD5
  
  59d2c93ae3c2c269fc26b3ecf9a0f3af
- SHA1
  
  baab6861d2e432509f216878d79a5e58c3d46927
- SHA256
  
  6e981ae3c91194fe4d524c8e3f75d34b9b8c980d2edbad2a6d05143e3b62646c
- SHA512
  
  2faea31c0c68e94d1976b0e20342f16fa824303a890ce6a15375ea6c5cf26516107980ab8ede521c5bfad03f46422a714daf641aa171f754fe086af4487b3bd8
- SSDEEP
  
  192:VmT/J28Hm+Ook7Vm1Nf30FeXXv5/q/5I3XW6Mbrk1UqWBNsoW/q:VmT3m+OokRm1aS5y/WG6MGtWrsoWC
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  $APPDATA/postinfo/34.opends60.dll
- Size
  
  45B
- MD5
  
  661924ba77b48f57d874a09d9dc5de6c
- SHA1
  
  06ad89e6c1827cc4b0017efb54cfd4b614e4d276
- SHA256
  
  6f752eef54d5eb2a9dc50ee5d59d5d0493511a0f2ec6370d1b8bb53b0f604712
- SHA512
  
  9f08a50255627b335d8983d782885b0f4ba832e24c8b2ffe9bf32052b2384467282e6be4a88bb920dab95c35a944186fb0fc81384dc8e78af6dfea804bdcfd87
Score

1^/10
behavioral15 behavioral16
- Target
  
  $APPDATA/postinfo/rcxditui.dll
- Size
  
  5KB
- MD5
  
  cc869c04e8771d08397dc86374fe5a5e
- SHA1
  
  d7cd17b9607538dcdd6fc267ee504b37740992ff
- SHA256
  
  420007c3e0a76ac880679f323653d3b9321832f578ca4dc1c2a1e5775a0f77dd
- SHA512
  
  684114317ab54248d20727058f58e592cffee865e876b8155c4426ee71cf15bfacaee07e2c9ef49c8d3f99cf6f0e20ae8800d2df88f0550e5304ab39ba468ef4
- SSDEEP
  
  48:KqiJ6OqhgmLwQpXMbqwcI65y7+OiaC+IZWo6zqhpm3F5WPWghnpgX:jOqhiZF6zSEWEOjWPVn0
Score

1^/10
behavioral17 behavioral18
- Target
  
  $PLUGINSDIR/advsplash.dll
- Size
  
  6KB
- MD5
  
  aefa9685c635b9568f0490815dac8af6
- SHA1
  
  7862e61d8fe5c8a1bf32a8e8f433d5b7bd7928cf
- SHA256
  
  528cab75eb926894bf7662819802888cde1e883c9b5d1b3af11ff6ab277381a5
- SHA512
  
  928d8374b895b6d396afce0492def1510bab0551232a00d5dbd932d5f7cc25b8f66aa2fe83a446006c2a797879196ee6a9fc6fd27e14f84c10f4e9a83e5c915a
- SSDEEP
  
  96:YIUNaXnnXyEIPtXvZhr5RwiULuxDtJD+wolpE:YIx3XyEwXvZh1RwnLUDtt+I
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  f27689c513e7d12c7c974d5f8ef710d6
- SHA1
  
  e305f2a2898d765a64c82c449dfb528665b4a892
- SHA256
  
  1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
- SHA512
  
  734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc
- SSDEEP
  
  96:JpmkmwmHDPVhklfSoRPB+YSvWvZckH69MSz00vQFHhAVvSGYuHnUNy2DCP:J+PVhYfSokvW2CsQFBAVaGdHnUNR
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  $TEMP/TowbarHamartia.dll
- Size
  
  54KB
- MD5
  
  d65c8ac05fd814a0327588b6b485c43e
- SHA1
  
  5555dc0c343f857c4732683b4018a271b17a6ca0
- SHA256
  
  030bcfc5c4629fff97b77925e1650c9bb9b267c1018f2fc754f90afc143522e1
- SHA512
  
  a40aa752ba28afb4e4b40ebb551612a819876dde50414c9ff1c0bf6b46618ab9d7b459eca0262fc0b9a13a649123c37fede7b20db4b8f3344c81551041d86fa0
- SSDEEP
  
  768:8wOOFDjuI5DU6JztEwaOKH2MBhQztYNUeLu0k1/ni6JULUOlZqSfZT:8wtFuIPJqwa2MBeeK5/ZJULUOPV
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  $TEMP/paperings.exe
- Size
  
  39KB
- MD5
  
  f4392de13dfac4aa804152adbd93e793
- SHA1
  
  ee90e001945afde21dcd12d542f0eabb9f94f4a6
- SHA256
  
  31ae1165f008db6195108f984d3fe495f10c6ac4a5f74bd365102f84b57d9aba
- SHA512
  
  40bf82d364c757576c3d7897d6d7413b64089056a8279433b5d5a35ada7a01607754c29678afd9bada5934d49c26f800132d400c864b38234fba4017bcf01de4
- SSDEEP
  
  768:5d3r7gefzh645WMbXUcKHBx5BOST/FHPePzaUt8P61t1nVG+:5BrLQeOM2Pgjte+
Score

10^/10

remcos decimo discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
behavioral25 behavioral26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosdecimodiscoveryrat

behavioral2

remcosdecimodiscoveryrat

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

remcosdecimodiscoveryrat

behavioral26

remcosdecimodiscoveryrat