remcos | 790266f679f399a10b26371ab1cf17292a9586bca0bc52c97f13d965b78911a8 | Triage

Sharing

General

Target

fea69467c888c64067f4513af860c98a_JaffaCakes118
Size

234KB
Sample

240929-q1ycsswgln
MD5

fea69467c888c64067f4513af860c98a
SHA1

c9966ac55d24ee280f13a17c221d116cdbc67634
SHA256

790266f679f399a10b26371ab1cf17292a9586bca0bc52c97f13d965b78911a8
SHA512

a33b7e8d4bf788735587e4e046c5ab784f55e0b8b2025dccfd998c5150ddde197b682ca646db5bdfb5ffc5fcac21feee9d3c2cf6ed2918faf7b7ce42b38cf01d
SSDEEP

6144:iqjIGiY3j0ZwuKskNHeZGevUAlLOHaRA99C2lkt:zu19Ks4+vzuaa9M

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

RemoteHost

C2

103.89.88.238:4299

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
excel.exe
copy_folder
excel
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
excel
keylog_path
%AppData%
mouse_option
false
mutex
excel-8OHAVR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
excel
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  fea69467c888c64067f4513af860c98a_JaffaCakes118
- Size
  
  234KB
- MD5
  
  fea69467c888c64067f4513af860c98a
- SHA1
  
  c9966ac55d24ee280f13a17c221d116cdbc67634
- SHA256
  
  790266f679f399a10b26371ab1cf17292a9586bca0bc52c97f13d965b78911a8
- SHA512
  
  a33b7e8d4bf788735587e4e046c5ab784f55e0b8b2025dccfd998c5150ddde197b682ca646db5bdfb5ffc5fcac21feee9d3c2cf6ed2918faf7b7ce42b38cf01d
- SSDEEP
  
  6144:iqjIGiY3j0ZwuKskNHeZGevUAlLOHaRA99C2lkt:zu19Ks4+vzuaa9M
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fccff8cb7a1067e23fd2e2b63971a8e1
- SHA1
  
  30e2a9e137c1223a78a0f7b0bf96a1c361976d91
- SHA256
  
  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
- SHA512
  
  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
- SSDEEP
  
  192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  u5qfpyjy2p.dll
- Size
  
  17KB
- MD5
  
  40ec87b2fe39097f68409834c4d79d6f
- SHA1
  
  1efafb59ff23847310944327b87442be7a2e9068
- SHA256
  
  5567d4c9d8fba6f4b05e80835e85f854d056c2b863861af136164f1941322d86
- SHA512
  
  012742ef15eaa547bac6c59d92367e8ab004dca528651f8428d554e5351522ef777b6e73de26e285fd327cc5c171829727313c477c3cdbd6df6c8334f30d9b36
- SSDEEP
  
  384:tR8Vjd/VR2vTsfqegBu8FkwEZVNSINKfh7/YQgGh4:tYd/VR2vTP7xFkwa4xqQgD
Score

3^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryrat

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6