remcos | c6dc1f147e3592d6acd628c21f3dbef8cba6e6acbcfa7dd25a3bb8fc7f003a00 | Triage

Sharing

General

Target

c6dc1f147e3592d6acd628c21f3dbef8cba6e6acbcfa7dd25a3bb8fc7f003a00
Size

884KB
Sample

241001-me7gssvalp
MD5

32f0a3c8593b7088912dfec3c841ab40
SHA1

bb3bc7dbe42583a83d9fa133a0dcb11d6ee6549e
SHA256

c6dc1f147e3592d6acd628c21f3dbef8cba6e6acbcfa7dd25a3bb8fc7f003a00
SHA512

ebec533d0b6f444521937b978c6a62207065d7c26cbe3f37c82965b0bfa035559f1e557c48c65d3ae28aa73df2cb399def1357529c9547db90e4ba985d6f73ec
SSDEEP

12288:ok8nujGuMzA9/fQAjsnyW6jeOH/ys8J2aUtmHOUqbFnPDu+qVuENvbQ1nadKX9M/:yuz/fQAjddWsxqOUqbV6BHMU2M6Wp

Score

10^/10

remcos irnserv1 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

IRNSERV1

C2

irnserv1.ddns.net:4424

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-20UF0Z
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  TNT invoice 10.1.2024 .exe
- Size
  
  961KB
- MD5
  
  feee11842c3c5952aebf70fe162925e8
- SHA1
  
  13c393292e000ff9f543f4817034b33f9446c958
- SHA256
  
  15ef2164b480e330416ccfdc4a3265d61c7864990e65e9bb8078919a790eabee
- SHA512
  
  1dbfd469c79b86ecc3796c8cc5604964ddb8459720ab628f09bd294467d218bde6744a9fbdac3ec5ea64f3982687b0f0f6d6ce095b4e30523282ea58d5a4f5ea
- SSDEEP
  
  12288:sDVilInHpgfqAzSnyW6B8OH/csub28UtmlOUqIvgFau1Rjq+9AhdlNcEZu5B:BQH6fqAz7/esp+OUqIklHGzdfu5B
Score

10^/10

remcos irnserv1 discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosirnserv1discoveryexecutionrat

behavioral2

remcosirnserv1discoveryexecutionrat