remcos | 15ec3d5590f26ed878b51e2905110bc7c8cd702089877d35e8646aa3463c9f92 | Triage

Sharing

General

Target

fb46d56d1360eca17ab77e3e22d5f28b_JaffaCakes118
Size

371KB
Sample

240928-caqnda1blr
MD5

fb46d56d1360eca17ab77e3e22d5f28b
SHA1

cc9a4185ea71151fe62d1bd90f9bb733ed533eb4
SHA256

15ec3d5590f26ed878b51e2905110bc7c8cd702089877d35e8646aa3463c9f92
SHA512

22d99d2844d4fdea6c3d2854d3e54718505e11bc06a9f65fe269da6fde66b10131fe996e96cf98aa4d2fb27616dc9a39eaa2049f0ba9399bd79969c8776ea745
SSDEEP

6144:rjSE5FTagmE0U0OwVTfEia+6p/CpeJwHJLJoXOXKXKYd+dtsHFUSuk3JTpvq6rhN:rjS7HG7I7TT6R+JoXy6dEtsHFUSuk3Jf

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

185.244.30.18:6642

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
chrome.exe
copy_folder
chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_cstgllymbjwflcg
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  POS Statements for Date - _20-07-2020.exe
- Size
  
  661KB
- MD5
  
  7e2ba2eee843c4f4986523e38f8dd057
- SHA1
  
  867e97338af0de914aa6b3bef902e610c1a4411b
- SHA256
  
  eadead9719ea252ca71c8b1a9f08bdb61f86097565303c8dc889f22691801d66
- SHA512
  
  d54090957ca6e2bdff9e1d37f8b70640bffa490906a6eface76a7d3eb5a5ecafb032b9bca89f2e4d053672f52f7277528ff498b78045da83532defb700626e6e
- SSDEEP
  
  12288:LpxEDrQY5EvoFzhlmTS1i4jkkg52CKRC8fZ9GmFNesSFX/Bkl62:da8voVOIObYfZoUKFZs62
Score

10^/10

remcos host discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoshostdiscoverypersistencerat

behavioral2

remcoshostdiscoverypersistencerat