remcos | 7bc77f3b7c41d5a8208081c0723881596ce757646237ba707d730d8b1b1d53de | Triage

Sharing

General

Target

7bc77f3b7c41d5a8208081c0723881596ce757646237ba707d730d8b1b1d53de
Size

32KB
Sample

241001-af2ays1fln
MD5

9f64627e96ac81761ebb6c0ad5cbf10d
SHA1

ce04b240ab51c1c0ba047f55d5fbc3a73ce64eec
SHA256

7bc77f3b7c41d5a8208081c0723881596ce757646237ba707d730d8b1b1d53de
SHA512

37c6abb253c7b6d8360b5a160929939d06113f9fe2a1f4a008598f437f8995ff6170179a83492f5f917c907e7e2c7768c58b754759cd1e12615be7f2abe1d88b
SSDEEP

768:JsiES3onvMOB8uiEvFeb3O9juqgtu5TqV8:mS4HRvF+3OBuqgtuRqV8

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Invitation to Quotation_ Supply (2024 - 2026)_Final·pdf.vbs
- Size
  
  70KB
- MD5
  
  026c99ced565e7485d27c67d665e2174
- SHA1
  
  25658aa6d57665a8c685c468627a61407a087702
- SHA256
  
  60eae7b4f1e61d93ca69cad7b0926d434a61033a2fb4e8b0eb013a611c9a5f00
- SHA512
  
  533326f7c7759a8fea84eff1b4d7e9953a573443b988329c4c91a170958578be5d36fe26974d77784f0388409be3b059646d63f49dfa7c15d2b07719e6aac6ed
- SSDEEP
  
  1536:siTM6WBtreAg6z+oLNVRL+Cr3t1yLQWm2jdC39x/f:siTzFApzvKCriQr7f
Score

10^/10

remcos remotehost discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionrat

behavioral2

remcosremotehostdiscoveryexecutionrat