remcos | 9bf8f141e0456aadf44a97bae53b85a020592f17ee079a4dfc0ad37b68c5b7f1 | Triage

Sharing

General

Target

6af94a77f08333c515b9f522e0e70698.tar
Size

1.6MB
Sample

241008-3jycpashje
MD5

6af94a77f08333c515b9f522e0e70698
SHA1

927f3cf9044f2d5f3d3e475799ddf52faad84d44
SHA256

9bf8f141e0456aadf44a97bae53b85a020592f17ee079a4dfc0ad37b68c5b7f1
SHA512

fd442d40cc2836f059b5f73183bcf2c444514c03158f84ade7373f84b346a4e12d57f070ac9cf136a4047d00c1a87031da4c9b19259e1cff42ac7ebe00edf6e6
SSDEEP

49152:4TefprThLaqpKnpsLU1jBsTKkXzTWTxvB:IefrLaqspFHsThXzW

Score

10^/10

remcos octu discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

OCTU

C2

segurosbolivar24.con-ip.com:2006

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
regist
mouse_option
false
mutex
ljnghvfghujkvgnasftnz-X8YJ1F
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Portafolio Digital de Transacción Electronica 0002938248924.exe
- Size
  
  4.5MB
- MD5
  
  13533b986d24ba176e64c6e7f8baa0a0
- SHA1
  
  20b1526c6df49a5b7b6eb3f456a8f29f011f9c6f
- SHA256
  
  33dae786b8b7debb0443f3ffd7922a3366072c0f3cb8c5a14cb6168938f0eecf
- SHA512
  
  5896593d110faa753e262e6f357d6767c3c9ce378c61d2c7db15cf0f720b79a7e54b940fb12fa5bb2e5421a64b94534dee68b0b16e3a6465f3532aea42b8d4be
- SSDEEP
  
  49152:QyVdmxB5GSL4m35GyJZYMrbcDifMb2TaIsjE1zSOmFaTXgaFInzHpGdk5KySXINi:QybbOGyJZYMrb7fMb2nZhdQWCMfj
Score

10^/10

remcos octu discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosoctudiscoverypersistencerat

behavioral2

remcosoctudiscoverypersistencerat