remcos

General

Target

be386e82648d80bd602030f57e67a94834f945efd92293ab660e561b22c3e850.lnk
Size

1KB
Sample

240926-ctkw8svdmh
MD5

383bec1808c99dcffafa9f4e03f104a4
SHA1

2f3647ea4331f7848de1c96cef6427b7136ab835
SHA256

be386e82648d80bd602030f57e67a94834f945efd92293ab660e561b22c3e850
SHA512

ddb859691e290bb1f4180c086ca92d385918f497506b1b9dc0b1f10b71acb24259b34020b032fb25af64a3ba628e423381106a538e7539f8d9c2617cee11c617

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Back-September

C2

fullimmersion777.com:8090

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
hello.exe
copy_folder
windw
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
rimcsl-94LESJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  be386e82648d80bd602030f57e67a94834f945efd92293ab660e561b22c3e850.lnk
- Size
  
  1KB
- MD5
  
  383bec1808c99dcffafa9f4e03f104a4
- SHA1
  
  2f3647ea4331f7848de1c96cef6427b7136ab835
- SHA256
  
  be386e82648d80bd602030f57e67a94834f945efd92293ab660e561b22c3e850
- SHA512
  
  ddb859691e290bb1f4180c086ca92d385918f497506b1b9dc0b1f10b71acb24259b34020b032fb25af64a3ba628e423381106a538e7539f8d9c2617cee11c617
Score

10^/10

remcos back-september discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2