remcos | bde5f995304e327d522291bf9886c987223a51a299b80ab62229fcc5e9d09f62 | Triage

Sharing

General

Target

DHL_Shipping_Invoices_Awb_BL_000000000101620242247820020031808174Global180030010162024.bat
Size

4KB
Sample

241017-j7bztazapc
MD5

89671e0720226be93c2656919ad5c32a
SHA1

71351ff372ff8075aa021e9d352c98adedb4ea40
SHA256

bde5f995304e327d522291bf9886c987223a51a299b80ab62229fcc5e9d09f62
SHA512

5cb8bdec3293daee1ed6c67ad27421252ec55908240d8c1ff5f4a851991373180434a2e7e06d886f877a2ed04007abe009e6767348a41309c9ef04e8c5eda448
SSDEEP

96:FZGj89ofWhaSyluf7/z+lab9Vkt2ElG1dm1Xde3c9xA1lxvU1TN:Dg8Se4uf7alXGvm1XKc9xCXvU1x

Score

10^/10

remcos fire$discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Fire$

C2

iwarsut775laudrye2.duckdns.org:57484

iwarsut775laudrye2.duckdns.org:57483

iwarsut775laudrye3.duckdns.org:57484

hjnourt38haoust1.duckdns.org:57484

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
sfvnspt.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
shietgtst-EYGLP1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  DHL_Shipping_Invoices_Awb_BL_000000000101620242247820020031808174Global180030010162024.bat
- Size
  
  4KB
- MD5
  
  89671e0720226be93c2656919ad5c32a
- SHA1
  
  71351ff372ff8075aa021e9d352c98adedb4ea40
- SHA256
  
  bde5f995304e327d522291bf9886c987223a51a299b80ab62229fcc5e9d09f62
- SHA512
  
  5cb8bdec3293daee1ed6c67ad27421252ec55908240d8c1ff5f4a851991373180434a2e7e06d886f877a2ed04007abe009e6767348a41309c9ef04e8c5eda448
- SSDEEP
  
  96:FZGj89ofWhaSyluf7/z+lab9Vkt2ElG1dm1Xde3c9xA1lxvU1TN:Dg8Se4uf7alXGvm1XKc9xCXvU1x
Score

10^/10

remcos fire$discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosfire$discoveryexecutionpersistencerat

behavioral2

remcosfire$discoveryexecutionpersistencerat