remcos | 8df2560a6e04ee9c1d4bdc98564d30ec55ab833cb58f1e92e384d50a4bdb88b3 | Triage

Sharing

General

Target

f73c023ecd4451476f41e0e3d880bcd1_JaffaCakes118
Size

186KB
Sample

240926-bkcntsybmp
MD5

f73c023ecd4451476f41e0e3d880bcd1
SHA1

3e29d745a9ebdf064413369e1f9a3bd4eb64204a
SHA256

8df2560a6e04ee9c1d4bdc98564d30ec55ab833cb58f1e92e384d50a4bdb88b3
SHA512

cfe01a3f02479ce69bc025fa6bdd256a61f98f9cd10d39a069c0f5030a118063e4bd2c28abdcb2b24ca95b96b6319d5e8d2045ac6144220a43908084a841895f
SSDEEP

3072:SOQOlPj1d4q2ylZHO4On2Ahwnu1+eeXBoIlL35FZt0Na9OKEgSaYtot475CY5iy:SwlPj4qfZsn2AhwuOXBoI535FLPDrSae

Score

10^/10

remcos importante discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.8.1 Pro

Botnet

Importante

C2

1.qy92v8t2ot.in:19850

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
crrcs.exe
copy_folder
Windows
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
ERDATYFVUASG_AGSJHDJDJG-MXZ0UN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
crrcs.exe
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  61510208568935678651678166352850132152109914702567847665512797830047468571241419394262713904907124972949266627589907100690303225.exe
- Size
  
  404KB
- MD5
  
  af1266aefcde379985bdd3a8aa9ea541
- SHA1
  
  ffa9044daad7a4e690a9bfaeb49e9e11dac3871d
- SHA256
  
  7cd9ba0bd060a7ab75cbb1c3a99caf86dbef34142243ad40b1eff42b3a836701
- SHA512
  
  9c620d18305f69f8c43a36dcabb2a91d9aaceded47a945f36d6884d582404f5b00e0a4141eb5596c2a5a4000d31419c0900467185c9a25c3b87c93f6814e4735
- SSDEEP
  
  6144:LtOz4k96TGA6Dh3H6KnEJrFrC2a0mEnxgoj6e:JFM8Xs6/rJCPo36
Score

10^/10

remcos importante discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosimportantediscoverypersistencerat

behavioral2

remcosimportantediscoverypersistencerat