remcos | 082a3c57ffec44191f71f8b170137a7d1c398b76fc93c5cdcb6714958d50f792 | Triage

Sharing

General

Target

e624205c64a0d6780be9b6c2c0952499_JaffaCakes118
Size

108KB
Sample

240917-f53szawhjg
MD5

e624205c64a0d6780be9b6c2c0952499
SHA1

d68f80434f0425b67a6f4bb8663b215cad2ace40
SHA256

082a3c57ffec44191f71f8b170137a7d1c398b76fc93c5cdcb6714958d50f792
SHA512

3eaa85190f0d86dbc22595f1873763caf4f3b293356f2d0c3229534b91c27f9e7e21404109b5fd7dee9a4b4ab3d3a21759d9951e13a3e5f3c0746a77f9c49e33
SSDEEP

3072:eFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdBrx:eHUcLxRkuRSWMDUaGf/p/sxWpEzImXq5

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

Host

C2

agbero.duckdns.org:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
process.exe
copy_folder
Windows Explorer
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
process
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-6WHA5Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Process explorer
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  e624205c64a0d6780be9b6c2c0952499_JaffaCakes118
- Size
  
  108KB
- MD5
  
  e624205c64a0d6780be9b6c2c0952499
- SHA1
  
  d68f80434f0425b67a6f4bb8663b215cad2ace40
- SHA256
  
  082a3c57ffec44191f71f8b170137a7d1c398b76fc93c5cdcb6714958d50f792
- SHA512
  
  3eaa85190f0d86dbc22595f1873763caf4f3b293356f2d0c3229534b91c27f9e7e21404109b5fd7dee9a4b4ab3d3a21759d9951e13a3e5f3c0746a77f9c49e33
- SSDEEP
  
  3072:eFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdBrx:eHUcLxRkuRSWMDUaGf/p/sxWpEzImXq5
Score

10^/10

remcos host discovery persistence rat
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoshostdiscoverypersistencerat

behavioral2

remcoshostdiscoverypersistencerat