remcos

General

Target

Fluxus Official.apk
Size

13.8MB
Sample

240919-g2w2pavbrf
MD5

3ed6024213496613d1881c71abb03d00
SHA1

83bd095b53b81b11ab44a9b4b73ffb7d2750b989
SHA256

56a3bc1c037fc18536914143d057dae1064499529ec59532eca83a50a0e97894
SHA512

404f0f56aed2f7053562d75ad49a71470905a7339045cec719b5bcb16811cef157ca55cbb5172ac194997bedcd1e604fc24555451dc08f90de0dd50a2f3c907f
SSDEEP

196608:+UNVtS4ieuPtnRqtAQehgvI0JH4cyoYOiKaN1OzCGOzp7NW0:+UNVtShgQE4pBuaNhdRW0

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Fluxus Official.apk
- Size
  
  13.8MB
- MD5
  
  3ed6024213496613d1881c71abb03d00
- SHA1
  
  83bd095b53b81b11ab44a9b4b73ffb7d2750b989
- SHA256
  
  56a3bc1c037fc18536914143d057dae1064499529ec59532eca83a50a0e97894
- SHA512
  
  404f0f56aed2f7053562d75ad49a71470905a7339045cec719b5bcb16811cef157ca55cbb5172ac194997bedcd1e604fc24555451dc08f90de0dd50a2f3c907f
- SSDEEP
  
  196608:+UNVtS4ieuPtnRqtAQehgvI0JH4cyoYOiKaN1OzCGOzp7NW0:+UNVtShgQE4pBuaNhdRW0
Score

10^/10

remcos host adware defense_evasion discovery evasion execution persistence privilege_escalation rat stealer trojan upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Probable phishing domain
- Suspicious use of SetThreadContext
behavioral1