remcos | b946459b031ba8f36ffc81ce67c805dbf8761f2bfe7819944cb022f1481d4f40 | Triage

Sharing

General

Target

250924.rar
Size

1.2MB
Sample

241004-2g155azenk
MD5

b88e29c6f4c9bacab7ada816fc6e32b4
SHA1

da9e3d663f7385ac90388e11ad9ef1063bc32fe4
SHA256

b946459b031ba8f36ffc81ce67c805dbf8761f2bfe7819944cb022f1481d4f40
SHA512

986cb77cb9c8024d4a2f8db14d8d961f153d84329d4a63944e6b2a099149444e3a9d1714e2ffaccf10afc1bc3a9b15a599d1e4befb5c01809f99cb33767a8d94
SSDEEP

24576:l1jOJbI4EhxSnQqEklAjT1XydQbA6vdaM45VE13tC2GNCxP:l1IINhxSnRET1FFaM0C13tC2Yo

Score

10^/10

remcos pqvps discovery evasion persistence rat

Malware Config

Extracted

Family

remcos

Botnet

PqVps

C2

103.35.190.90:2405

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
LogHost.dat
keylog_flag
false
keylog_folder
LogHost
mouse_option
false
mutex
RmcVps-HIX6ZI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Cobro_714908746632292158322869967546175789167005896538554858756104291.bat
- Size
  
  1.6MB
- MD5
  
  ef049bc637c98aa00c35467c7a02afcb
- SHA1
  
  b2d498988a2375d988d096466faaf4faafc038ec
- SHA256
  
  7f8daa38efb7829976dc3a14dc840a4ccfd312df6e335e3b1620c6f0e9535621
- SHA512
  
  0e10f6c8cd229b4cf26657ccb5f3a41c2ab3ffc6c0606654e95dc645d1bb40799fdebf255ee0814d6a83371be78cf026d4ebaeee5ac35b49413e36ae41ecd5eb
- SSDEEP
  
  24576:c2UCeOG76RFbdt4km7EoWbKMu2HpNexVcVfpIeD47I79nwS4/pfapm40iQc4VOkp:cv7Ibb/1bKKHpNexVwzrhtfLg
Score

10^/10

discovery evasion remcos pqvps persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasion

behavioral2

remcospqvpsdiscoveryevasionpersistencerat