remcos | 7864d31f7ccf35934bbab34115c83952b94dfc7223929ac03fefac2b17ed7927 | Triage

Sharing

General

Target

Quote.lzh.rar
Size

858KB
Sample

240926-qszkwssgnh
MD5

1ee5ae50ff6ddf23d220f20d90c7bd59
SHA1

b9244d806463d1477d136dffff0facaeca7ff78b
SHA256

7864d31f7ccf35934bbab34115c83952b94dfc7223929ac03fefac2b17ed7927
SHA512

ac0deff430b2bd83c8886162d097fe4fa9cca9cc1dc2e5beb98fafa9e60df0b85c098dfcd51c8a462732926c4965bc349028fd224fa09004899e1112a37761ac
SSDEEP

24576:F8EFCciF8GAenkfJo9ekN3tGTpJlPi5ssaeAPdig:F8ErMkfJo9F9epPDeAPdig

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.projectusf.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
gfh
mouse_option
false
mutex
Rmc-J91LMC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Quote.exe
- Size
  
  915KB
- MD5
  
  0b18de9b2b7f17fc93796eabee8d26dd
- SHA1
  
  0c0f08a2df8262960e6290900bff0684847cc0c8
- SHA256
  
  929167f47e1116759145eb457f86474a311374373b05b11438ea1222a9e2a8f0
- SHA512
  
  07a146051648b7bf1a7024bf1375b27b3ee6ea07c9c455ede24d3edce26d79e2f227a9b1a9ba0eb4f5e05c75e458169e48c3a8a1acaf731781a0f105ace37860
- SSDEEP
  
  12288:OdK2wPfKaoFsNyjcFg/Q5P4Uf1fTX5muSPflsEXywds31GHvMb7d+fLnnjnU+DL:FPfKaKsNEesQ5PxL5mjHiwOFEvMOPn3
Score

10^/10

remcos remotehost discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionrat

behavioral2

remcosremotehostdiscoveryexecutionrat