remcos | 918b9e2ab61a0ef85ed819b7ed4886f3fe23d34059cb87003fc8d73195e5d438 | Triage

Sharing

General

Target

MT103 CIBC Ref No EBOTT40930537914.pif
Size

978KB
Sample

241008-zeajaatgmq
MD5

3c228f541d5f99e928fc4f9a0993f45c
SHA1

ff3e24330aae208fe5c11ff45a2d913c683e55d9
SHA256

918b9e2ab61a0ef85ed819b7ed4886f3fe23d34059cb87003fc8d73195e5d438
SHA512

caa3a9fcad749eeb1e64f931177b82b7693dc26ee0d6811eb26ef294884e8f853b7c583ed65aad71b24b416e7e954780fcddeb114bb8f10a5a92dc137ec9ac8b
SSDEEP

24576:95EwHjgfwxXUCswKlVV3iSuoili7gGn/4S1:9Sws4xXU9wKlVkSCkgGnwS

Score

10^/10

remcos gmall-target discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

GMAlL-TARGET

C2

milliondollar23.duckdns.org:3984

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3XAFQF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  MT103 CIBC Ref No EBOTT40930537914.pif
- Size
  
  978KB
- MD5
  
  3c228f541d5f99e928fc4f9a0993f45c
- SHA1
  
  ff3e24330aae208fe5c11ff45a2d913c683e55d9
- SHA256
  
  918b9e2ab61a0ef85ed819b7ed4886f3fe23d34059cb87003fc8d73195e5d438
- SHA512
  
  caa3a9fcad749eeb1e64f931177b82b7693dc26ee0d6811eb26ef294884e8f853b7c583ed65aad71b24b416e7e954780fcddeb114bb8f10a5a92dc137ec9ac8b
- SSDEEP
  
  24576:95EwHjgfwxXUCswKlVV3iSuoili7gGn/4S1:9Sws4xXU9wKlVkSCkgGnwS
Score

10^/10

remcos gmall-target discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosgmall-targetdiscoveryexecutionrat