remcos | 979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4 | Triage

Sharing

General

Target

979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4N
Size

311KB
Sample

240917-dnjyes1gle
MD5

d538263914eafa5c4a7bc69bb6d6ecb0
SHA1

b44c3e6464fe41e2c33a74186457ffb314fe48e1
SHA256

979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4
SHA512

8cb3a952e002cf4150f882e9901470ad86eb9a8bd0540fa50d6a6b77634a15018c042dd04bc9ba8ab2ee240c0a197bd7d4c0727eae096c81903e387ea596b8d3
SSDEEP

6144:CbJhs7QW69hd1MMdxPe9N9uA0hu9TB6xdb9t/iZSe:CbjDhu9Tk/f/iZ

Score

10^/10

remcos new24 discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

NEW24

C2

authlog.kozow.com:8081

195.211.98.63:8090

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
win.exe
copy_folder
excel
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Win32
keylog_path
%AppData%
mouse_option
false
mutex
winnngeegrhsggbdvdv-QGDR73
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4N
- Size
  
  311KB
- MD5
  
  d538263914eafa5c4a7bc69bb6d6ecb0
- SHA1
  
  b44c3e6464fe41e2c33a74186457ffb314fe48e1
- SHA256
  
  979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4
- SHA512
  
  8cb3a952e002cf4150f882e9901470ad86eb9a8bd0540fa50d6a6b77634a15018c042dd04bc9ba8ab2ee240c0a197bd7d4c0727eae096c81903e387ea596b8d3
- SSDEEP
  
  6144:CbJhs7QW69hd1MMdxPe9N9uA0hu9TB6xdb9t/iZSe:CbjDhu9Tk/f/iZ
Score

10^/10

execution remcos new24 discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosnew24discoveryexecutionpersistencerat