remcos | 41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2 | Triage

Sharing

General

Target

cayV0Deo9jSt417.exe
Size

958KB
Sample

241006-v8azpa1ajd
MD5

aa3cdd5145d9fb980c061d2d8653fa8d
SHA1

de696701275b01ddad5461e269d7ab15b7466d6a
SHA256

41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2
SHA512

4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32
SSDEEP

24576:PExy+NP2Gc/hgXzYRVG7mRPQeMeokqjVnlqud+/2P+A:6+Gc/hD67mJQeMhkqXfd+/9A

Score

10^/10

remcos go!!!discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Go!!!

C2

dangerous.hopto.org:2404

dangerous.hopto.org:2602

91.92.242.184:2602

91.92.242.184:2404

Attributes

audio_folder
??????????? ??????
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
taskhost.exe
copy_folder
System32
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
tapiui.dat
keylog_flag
false
keylog_folder
System32
mouse_option
false
mutex
???-LDKG91
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
?????????
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  cayV0Deo9jSt417.exe
- Size
  
  958KB
- MD5
  
  aa3cdd5145d9fb980c061d2d8653fa8d
- SHA1
  
  de696701275b01ddad5461e269d7ab15b7466d6a
- SHA256
  
  41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2
- SHA512
  
  4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32
- SSDEEP
  
  24576:PExy+NP2Gc/hgXzYRVG7mRPQeMeokqjVnlqud+/2P+A:6+Gc/hD67mJQeMhkqXfd+/9A
Score

10^/10

remcos go!!!discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosgo!!!discoverypersistencerat

behavioral2

remcosgo!!!discoverypersistencerat