remcos | eb4172617d34c01a45390b880499b0c1eef52a466852241e5a2db92b660a5f41 | Triage

Sharing

General

Target

eb4172617d34c01a45390b880499b0c1eef52a466852241e5a2db92b660a5f41N
Size

2.5MB
Sample

240927-fctdtsyelf
MD5

1627304a7d3f6859001efebde8c08220
SHA1

99d184f60f258ffaf6b64dc87e1c13b70d227009
SHA256

eb4172617d34c01a45390b880499b0c1eef52a466852241e5a2db92b660a5f41
SHA512

59704afd589bd797a07296a00639f8244d9bc7bcd071e6a0368aebb309cb8a6c3a270ed2e966945c5dc36819c61394dda204338cb2e814d770a502ab92aa6355
SSDEEP

24576:4u14cbiD+YsyBvUmrUeZ4nXksgBMVqYyFU:4udiD8mgemnXksgBMV0C

Score

10^/10

remcos remotehost discovery evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:47666

iamblessed.duckdns.org:47666

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MFNROY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  eb4172617d34c01a45390b880499b0c1eef52a466852241e5a2db92b660a5f41N
- Size
  
  2.5MB
- MD5
  
  1627304a7d3f6859001efebde8c08220
- SHA1
  
  99d184f60f258ffaf6b64dc87e1c13b70d227009
- SHA256
  
  eb4172617d34c01a45390b880499b0c1eef52a466852241e5a2db92b660a5f41
- SHA512
  
  59704afd589bd797a07296a00639f8244d9bc7bcd071e6a0368aebb309cb8a6c3a270ed2e966945c5dc36819c61394dda204338cb2e814d770a502ab92aa6355
- SSDEEP
  
  24576:4u14cbiD+YsyBvUmrUeZ4nXksgBMVqYyFU:4udiD8mgemnXksgBMV0C
Score

10^/10

remcos remotehost discovery evasion execution rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryevasionexecutionrattrojan

behavioral2

remcosremotehostdiscoveryevasionexecutionrattrojan