remcos | 39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1 | Triage

Submit
Reports

Overview

overview

Static

static

39ec963bdf...c1.exe

windows7-x64

39ec963bdf...c1.exe

windows10-2004-x64

Sharing

General

Target

39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Size

36KB
Sample

240928-kel5raydqh
MD5

9aa54216394c3620f7e6131a00acd8f1
SHA1

e5016252d0fc9dc04bceef0334ca93d11e2bbdde
SHA256

39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1
SHA512

dda82fe927253230e36902f4a351e470703af3cb168984298689c7f37e293871d18eeace33ba6003c1b69727cad0a8ada740e7ec7bb428cae5a0417343a78b0c
SSDEEP

768:/5PHyCjmhFdWfLubuZ1kvIaEekM2em014r1:/5PHfjGPAKbLVS9r

Score

10^/10

remcos host discovery evasion persistence rat trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe

Resource

win7-20240903-en

remcos host discovery evasion persistence rat trojan upx

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe

Resource

win10v2004-20240802-en

remcos host discovery evasion persistence rat trojan upx

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

dmak777.ddns.net:6522

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
system.exe
copy_folder
system
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%ProgramFiles%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
system
keylog_path
%AppData%
mouse_option
true
mutex
owgaigcjgxyjhgfds
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
system
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
- Size
  
  36KB
- MD5
  
  9aa54216394c3620f7e6131a00acd8f1
- SHA1
  
  e5016252d0fc9dc04bceef0334ca93d11e2bbdde
- SHA256
  
  39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1
- SHA512
  
  dda82fe927253230e36902f4a351e470703af3cb168984298689c7f37e293871d18eeace33ba6003c1b69727cad0a8ada740e7ec7bb428cae5a0417343a78b0c
- SSDEEP
  
  768:/5PHyCjmhFdWfLubuZ1kvIaEekM2em014r1:/5PHfjGPAKbLVS9r
Score

10^/10

remcos host discovery evasion persistence rat trojan upx
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoshostdiscoveryevasionpersistencerattrojanupx

behavioral2

remcoshostdiscoveryevasionpersistencerattrojanupx

© 2018-2025

Terms | Privacy