remcos | b1475086f2f81e2aca88d89cb0620f04e8d0b0a20b956821a0d2efe1b65ce060 | Triage

Sharing

General

Target

Recibo de transferencia·pdf.vbs
Size

80KB
Sample

241001-f8a75ashlp
MD5

a510a741cf02891a5ae7268b7b92b9b8
SHA1

2740b1d3da34dab2396388ebb2c97763a3164ce5
SHA256

b1475086f2f81e2aca88d89cb0620f04e8d0b0a20b956821a0d2efe1b65ce060
SHA512

f8b09143c1fde918ef01c508c781af213c934d332956c43acbaba6116cd3d3874db8315d1e15eeb8da33e52fc0898569b8c95a5540051be3de48731cf89fb091
SSDEEP

1536:sjYl/iQZBql+3LAtEhHt1TtcjQ+yztqwT7C25jmiS8ybyf:sjYB7ZAoHCyzMy75y2f

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Recibo de transferencia·pdf.vbs
- Size
  
  80KB
- MD5
  
  a510a741cf02891a5ae7268b7b92b9b8
- SHA1
  
  2740b1d3da34dab2396388ebb2c97763a3164ce5
- SHA256
  
  b1475086f2f81e2aca88d89cb0620f04e8d0b0a20b956821a0d2efe1b65ce060
- SHA512
  
  f8b09143c1fde918ef01c508c781af213c934d332956c43acbaba6116cd3d3874db8315d1e15eeb8da33e52fc0898569b8c95a5540051be3de48731cf89fb091
- SSDEEP
  
  1536:sjYl/iQZBql+3LAtEhHt1TtcjQ+yztqwT7C25jmiS8ybyf:sjYB7ZAoHCyzMy75y2f
Score

10^/10

remcos remotehost discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionrat

behavioral2

remcosremotehostdiscoveryexecutionrat