remcos

Sharing

Copy URL

Twitter E-mail

General

Target

SilverBullet nosense.rar
Size

344.6MB
Sample

240929-1emz2s1gmk
MD5

741920adf39a3d7741249c22e2d23b73
SHA1

b6d8967ccaa9ae10acc0ca8682ec6867b9086b10
SHA256

acb4464c86b943e6626708dda4e36ab0e44131f5f76f44c36463492f86e995dc
SHA512

63c12d65da617c2a363970749b2d61609afd7d8d640241ea650f1574a6f4465bba30c8fd6fa5197c275ebfcc4769841c6d9bcc69e60ac1a0a15dad567a8162f6
SSDEEP

6291456:D8lGY1Ao9990Dxn+M/pwLIAzeZpvY7o8H5/s4nkFDr61KfKjT7cf2vj1SE7:D8lGrFDxndpqCOo8Z/s4nkFGXVBSE7

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

SilverBullet

185.81.157.223:1010

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8HUY6L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  SilverBullet/Plugins/SilverBullet.Plugin.dll
- Size
  
  22KB
- MD5
  
  b4ee39136bb41b38eca8055983dd80c1
- SHA1
  
  b864bf0bbdab6dc6ae71ee1c3642282dd2c95c72
- SHA256
  
  edc4c8eed4dfa60c22faa02b47da671b9998d872aa9c132b73448ec427a4246d
- SHA512
  
  b626e6accd909c1efb92628f623c9efd8b3df08d86851f3eea3c109f702b71b11b330008b57032e61d9a25e09408603451a49f3b23fb8423309a39993c2498b3
- SSDEEP
  
  384:Hu1YyzVMHOnf4yMF3cPPbVwVeW1LD91GIyAa9Otdf2sRE:ORbEVVRfXGIAEV2uE
Score

1^/10
behavioral1 behavioral2
- Target
  
  SilverBullet/SilverBullet.exe
- Size
  
  177KB
- MD5
  
  f5727612b5895d4002600521c57ddc8c
- SHA1
  
  795a6467fc1acbd7fac964870e40bb6cc39e4bf7
- SHA256
  
  cb63ac36d78c499e62c3778649a6032e4b0908a64e70282fc3ff27ff8ce281ac
- SHA512
  
  06f7ef882bfb818dfa0181fc4fad40269e129bcd262243bf2fdb50fa190369408dbbae6bead4bdced9df77576602d0a10ee47ba4ef4011c0103577ac5bf9048d
- SSDEEP
  
  3072:IbsSD+btEtcju69GGe3pv8zcLJc9Qe+L5tOd+0/qY:IbsSD+byYu6Te3V8zcLO9QRL5tM+iq
Score

10^/10

discovery remcos silverbullet execution rat upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  SilverBullet/dll/x64/OpenCvSharpExtern.dll
- Size
  
  50.7MB
- MD5
  
  19e37638575b19c76a677ceb3dc0f04b
- SHA1
  
  68da41f516869714493362a33fc4b3c1978607a1
- SHA256
  
  1f87c50c51baa35fc115087b6b96ae1c028242190b86498b16bea005cf5403cc
- SHA512
  
  c14df3c01c4f5f115630862c196aef025e006a39ae88df63e226eb02c48eeb60a8f1379f05075bcc32d88551460a3f94eadc639cd1620114ac60ec2814b0ad18
- SSDEEP
  
  393216:KkLz4uUUe8nQqxWUVa4ffDirRhoLc635JL0KLiAUCmczNgDHDPTU:gU3QdUVawGlo3gcET
Score

1^/10
behavioral5 behavioral6
- Target
  
  SilverBullet/x64/CefSharp.BrowserSubprocess.Core.dll
- Size
  
  1.2MB
- MD5
  
  a7ea64a13017c8f73fa2a58b94ab96fa
- SHA1
  
  6e3d2314cbbac568c138fa0fed9cd631f5566022
- SHA256
  
  49b5e947cb19a3077a009448626271e43a2c179c98a52eb75be6089d05bba4ff
- SHA512
  
  92c4838a7b8be00ef9bbd1deb4e39ee6615c31dbdfcf6d7b8a3851e7eb57c736d5a799cf2c4c0bff23367880cf2def864ab47b65f3f63ac6dbe035d2e9907a25
- SSDEEP
  
  24576:Gh0BYCERE6tV+YKc8zXoiYehQspQ8SdWHubiWycvrQK0OXPzExy:PizRztVtKc8zXoiYehQspQ8SdWHubiWn
Score

1^/10
behavioral7 behavioral8
- Target
  
  SilverBullet/x64/CefSharp.BrowserSubprocess.exe
- Size
  
  6KB
- MD5
  
  81f6254c9978006fa0eb7f63575d148a
- SHA1
  
  7d1d8248cf4950128333ded6038e31afa8d4f917
- SHA256
  
  738fecfd874b246c63e74ecbe734ec53d69e4340f3e4e314be85c849d562c957
- SHA512
  
  42a11f77db6b669b23a1e40f1723b4b9a22750725143380b9a4f1827c35a5ebe51da5bd5999cbd2ddf7dea36fbba6cdffc635bd43b06885448efba649bcf9c40
- SSDEEP
  
  96:cHxFI7lRsmQBDsCszGzFZsetmAUNt61OYcXei+U:cRFIDsmQBNszGzFZasAYcXeU
Score

1^/10
behavioral10 behavioral9
- Target
  
  SilverBullet/x64/CefSharp.Core.dll
- Size
  
  1.8MB
- MD5
  
  f286552c2ff0dd6070df1d0c27e7c115
- SHA1
  
  daa9510222c0aedc738153121d16b4b7b8c1a727
- SHA256
  
  8b06fcf7f377f8e6eb8e27ae7025ce3562f9a2f7e83d5e2daed17aa6016d5088
- SHA512
  
  c8dc7c6c6341c7134d212b59a4cd4d5e41bb69e97e65f65db34598617f1c8a4008e32814d68cda6521d3d2f1a5ce326108d08bcc74b48a0f57b18fa64f030c22
- SSDEEP
  
  49152:a6tJ0r+E7+KNqcfUhPolDexla9e6dhkOiFnKA++e6P4ZcVQm6U5IrQK0O9kC62gN:aQY
Score

1^/10
behavioral11 behavioral12
- Target
  
  SilverBullet/x64/CefSharp.Wpf.dll
- Size
  
  83KB
- MD5
  
  c6eecbc9a3c1f3f91674295a0e36fe15
- SHA1
  
  ff02d3b8e9b0e854b80c606d75bd77c4579d29de
- SHA256
  
  c7f23d49cd0bdd4dae11bdd4edf1e23ae999e95178c5fc0ffe303bf53d2d8bd7
- SHA512
  
  51de6a2595fdbcf033876ee13ca4f28f2c440e975b2b58983bd5050d95aaa1d1938d5d5b240dac0bd8788a3472e7db73cf1e6978713c3317de190e222d2e8f6f
- SSDEEP
  
  1536:qwQcm8JNaiVEQJjH2bVCgPXVJaPv1bXRUDnamyGxhBge8FLMmGCYptpUh:qwNVYiVEQJjH2LaPNL6Bge8FnGnD8
Score

1^/10
behavioral13 behavioral14
- Target
  
  SilverBullet/x64/CefSharp.dll
- Size
  
  223KB
- MD5
  
  a2efe23188dd43c7b900d8690ce3bf70
- SHA1
  
  7efa73aeb9d6ba6a6ced60ed0a4224fe67cfeb2d
- SHA256
  
  30597b11efb43da39a647f6da138d29e315c45ac7859cd74aacc618481dfa9a0
- SHA512
  
  80f6697e75c26eba1714c84df3aa22cc8255c2e7c23404330b94b1ce2c7cddff6c1a03420b82fd669b48c826961e6220390b022a0ba45b17bbe2472d29d6ac66
- SSDEEP
  
  6144:05GVJ+AxsEh2onceHRWeYeJaaesaQ3UDZSK0/aUjKB11iILUFT70UUZlkUUu00C3:0AVR/2onceHRWeYeJaaesaQ3UDZSK0/s
Score

1^/10
behavioral15 behavioral16
- Target
  
  SilverBullet/x64/chrome_elf.dll
- Size
  
  950KB
- MD5
  
  9248aa52295aec491ccad9bede345915
- SHA1
  
  b0da203312fc616efd687beec0c0e37f3f19da95
- SHA256
  
  1969331ec9ca9b5d4ac9af9e45cc91075735c37e11aa3e5df6b95a9d2a6b39be
- SHA512
  
  fd86b844a19df1003a22dd306f524a0a78a80f5a3dcfe8afd3bc912bed870b8503b8530fd9291958d1c7229c972bd5629c4081a199915e4e272c658ecafd3f3f
- SSDEEP
  
  12288:avuz9d07tcZUmnyEuKaQeOiZ7kvW6GbCN4cL1ETrTsDWDCw2tueR5+nroR:avdcZUdEuKa9OiZ7hYGHTsDsCUi
Score

1^/10
behavioral17 behavioral18
- Target
  
  SilverBullet/x64/d3dcompiler_47.dll
- Size
  
  4.1MB
- MD5
  
  222d020bd33c90170a8296adc1b7036a
- SHA1
  
  612e6f443d927330b9b8ac13cc4a2a6b959cee48
- SHA256
  
  4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3
- SHA512
  
  ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6
- SSDEEP
  
  49152:D5EfJYiVk9w6hAPqzag2At6i5K/8Ub6Lg3MEq/NHiQTtVr+5kb62QgdD6zoodr7P:l7iNPWHYE+Bnm8
Score

1^/10
behavioral19
- Target
  
  SilverBullet/x64/libEGL.dll
- Size
  
  369KB
- MD5
  
  0dcd240f31896a8dc2d8a4daf1872d50
- SHA1
  
  3da5c24588766f96178e52f511c7c77ba1feddb1
- SHA256
  
  1c8dc36c23661ed16ced1955f231e5169e6a357706e8ae52b058dcf6aa56a39e
- SHA512
  
  42108688db5244123a4503278c417db9f92e5e5cdf00aac6d1c5085e0e64c11d3851f52b00ac5c797ca3cf8a84c4a7ed707395b2db46701197f666c75c17f65c
- SSDEEP
  
  6144:4DyKjGK+9etfOfCnwjBMGQtPgtOIOL9o:4DyKjC9eJptPU
Score

1^/10
behavioral20 behavioral21
- Target
  
  SilverBullet/x64/libGLESv2.dll
- Size
  
  7.6MB
- MD5
  
  d000fcff1ee69ef88fcce9aee41f2b83
- SHA1
  
  4980f29eba427f48c643513b1166e9d3052c8565
- SHA256
  
  90ac87ebb1c099a84e88618e10e2301553373ef586315ac39aac13f1f6c77609
- SHA512
  
  3645399b28fec183968772c91e0d30e6d375c64aee05e388f89bc510a2f9977636f3b0cfabdb6ece69454fd09d015ee4f192368e48d350a6fa8ce637f0274432
- SSDEEP
  
  49152:/TxmC0U/qEuc71Ixe27E4X1v4VyzVJIE69N0B4tl1UTDucaKSjYX61clB/iLdv7R:WQ27Ntc14yMOlP/t9cxdFu2xY
Score

1^/10
behavioral22 behavioral23
- Target
  
  SilverBullet/x64/libcef.dll
- Size
  
  119.2MB
- MD5
  
  24a4f6052d598386bd0a576138aa9267
- SHA1
  
  cf7a37fdf05ad241fcd1d7abbc7a5e74734085c2
- SHA256
  
  2e11dbabb684ea8fcd1fd96ed6cce7af2dacb9d46ddfd826b20c886ef52e12a1
- SHA512
  
  b8e4df1f2c39a2cd3f940c127b37b28b7a9227584f0b8e803ea70cbcd95f97e792602a2e84e47fda240240034474395389d387e1c9c29c9d87abce173bb6fbf9
- SSDEEP
  
  1572864:+459hVtFcPAjn4P7h/ItKnr77lnMPeu3It6:mL4PbIo
Score

1^/10
behavioral24 behavioral25
- Target
  
  SilverBullet/x64/liblept1753.dll
- Size
  
  3.6MB
- MD5
  
  17661cd8e05ebfd0e6aa69ab0cfcbe1e
- SHA1
  
  e4273963fde72fcd315ae75aab2fa704eced93a4
- SHA256
  
  b88c5c4eb525a0b1db33afa8eb10b0a00d8c31fb9d609ed7a46e9671d056862d
- SHA512
  
  4b19a6457946acb5312852ef8771e390eb11aace710503db0ca4069939245adf667a5f87af02810131ed2158a5212e650360ea4ac17ecf160d6ffb6205f3174c
- SSDEEP
  
  49152:WxRio1qv4bsO1YYFtR5Qp9Fb2ClMuO+MfWx+Ma+G+u7U8T/u7ecYGtXI/JkvZ2iS:WxcndGPoVz95S
Score

1^/10
behavioral26 behavioral27
- Target
  
  SilverBullet/x64/libtesseract3052.dll
- Size
  
  2.7MB
- MD5
  
  583bd8c3206a30bd2c5514d53e6aa9d8
- SHA1
  
  27cf2c9c7abcde974b6a9bdac875ed542635e1c5
- SHA256
  
  7ee8edb2d7aa0f5dc245edf428b742dc24a080956a546997b45b00d6af48f58d
- SHA512
  
  62624dc8b1a5a0373c243295d4c3e4cf2aeeed46fd28822a109923951bf01e1e90aa632ee08599cee7ca6e8a476a73d843886491dc94e178bbbc0b4fb95c7661
- SSDEEP
  
  49152:RUGbpltwlDi/uvE+m8L/UKEV19Jss9IRcQ4l1lnlQ2Yy1:RflQYGmvvY
Score

1^/10
behavioral28 behavioral29
- Target
  
  SilverBullet/x64/swiftshader/libEGL.dll
- Size
  
  389KB
- MD5
  
  dbd60c4ff3efbf43ba49405daf667a12
- SHA1
  
  abb9b917ab039f49a55903a461cb37aaf543afe1
- SHA256
  
  5210351a0e0c07c82fc3044a4490a8472b9066f6d85e6d1d8ac76ab989522798
- SHA512
  
  cea5c333df197bcb4a32df2529a0c675020d4eb84fe325964793d8371b782f790830c341a91d9ca2a714b78ae63f288bb2a8faeaa7cb206adb6fcd7dd6556078
- SSDEEP
  
  6144:v2YEmUEuuSkDY5iwvkrjzSrbOqs4hQ3YlbYMLu4eQfIk:vbEmUEuL/5iwsrahYFQfIk
Score

1^/10
behavioral30 behavioral31
- Target
  
  SilverBullet/x86/CefSharp.BrowserSubprocess.Core.dll
- Size
  
  923KB
- MD5
  
  b4cb624c9540fe0855b38d28f401715b
- SHA1
  
  4e7d8890b1daabdf45d3feaf9c9f4e2d2f115557
- SHA256
  
  22c76d70498ffb4354bc078a790764788ad52492e164711f1edffc3861b1b0f1
- SHA512
  
  c17b18d5a93e588c5ed03b0816354fc0507b265437e36f1a34906fbf535a54038220fef539cc5d0d632780a52aa50983202c727730e3ff0525f87234903c0292
- SSDEEP
  
  24576:cUICGRyGLFrKp0zXoiYehQspQ8SdWHubiWyz6rQK0OXPcBl:ThGLdKp0zXoiYehQspQ8SdWHubiWyz6/
Score

3^/10

discovery
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32