remcos | a3b8b22001bd2cdb7235143b52225c2063d33b63a87e44cba0dae647c49be7ce | Triage

Sharing

General

Target

a3b8b22001bd2cdb7235143b52225c2063d33b63a87e44cba0dae647c49be7ce
Size

903KB
Sample

240916-f8r6ms1dmj
MD5

51f72049f9a159ebe2d0703fa2e9e898
SHA1

8c85bdf7ceff32613cf219da176808ad8a8a8b99
SHA256

a3b8b22001bd2cdb7235143b52225c2063d33b63a87e44cba0dae647c49be7ce
SHA512

fb690d21a2a4a7167c9cf6932a20772db4431bff831e9aafbf502913cd84523f99a002a6ae88383d2cfe6b80e89242ebf8448b1ef563bfce322edb0afc42e168
SSDEEP

24576:RUN2k1xt4uIDiHiNan2k95YYzBQak2P44b3i64I+xrST9i:RU8MfI8uan2kPTz7p9b5VTk

Score

10^/10

remcos rhymer discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

Rhymer

C2

64.188.12.208:5500

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WW3VS5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  a3b8b22001bd2cdb7235143b52225c2063d33b63a87e44cba0dae647c49be7ce
- Size
  
  903KB
- MD5
  
  51f72049f9a159ebe2d0703fa2e9e898
- SHA1
  
  8c85bdf7ceff32613cf219da176808ad8a8a8b99
- SHA256
  
  a3b8b22001bd2cdb7235143b52225c2063d33b63a87e44cba0dae647c49be7ce
- SHA512
  
  fb690d21a2a4a7167c9cf6932a20772db4431bff831e9aafbf502913cd84523f99a002a6ae88383d2cfe6b80e89242ebf8448b1ef563bfce322edb0afc42e168
- SSDEEP
  
  24576:RUN2k1xt4uIDiHiNan2k95YYzBQak2P44b3i64I+xrST9i:RU8MfI8uan2kPTz7p9b5VTk
Score

10^/10

remcos rhymer discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosrhymerdiscoveryexecutionrat

behavioral2

remcosrhymerdiscoveryexecutionrat