remcos | 87e3270c895827876c1b3996d3897df3ff6056c8c728e76bcd69f8d7b2f8d9b5 | Triage

Sharing

General

Target

remcos_a.exe
Size

469KB
Sample

241021-ks1kasxdnb
MD5

d987e661f578faf114533d939978d027
SHA1

e73e7be2d0f176cc96f6c659c1072f33745b300a
SHA256

87e3270c895827876c1b3996d3897df3ff6056c8c728e76bcd69f8d7b2f8d9b5
SHA512

d8ac536421fd4a5342d218cfabd263c6a1a062daf36077f7826184d61efdeeb37f12f9cb95f8629dd42a83a44ad27d05d2592d2a4576f45795042a00f169e0d2
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSHn9:uiLJbpI7I2WhQqZ7H9

Score

10^/10

remcos remotehost discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ponscripter-29947.portmap.host:29947

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
scvhost.exe
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5GPHJT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
scvhost
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  remcos_a.exe
- Size
  
  469KB
- MD5
  
  d987e661f578faf114533d939978d027
- SHA1
  
  e73e7be2d0f176cc96f6c659c1072f33745b300a
- SHA256
  
  87e3270c895827876c1b3996d3897df3ff6056c8c728e76bcd69f8d7b2f8d9b5
- SHA512
  
  d8ac536421fd4a5342d218cfabd263c6a1a062daf36077f7826184d61efdeeb37f12f9cb95f8629dd42a83a44ad27d05d2592d2a4576f45795042a00f169e0d2
- SSDEEP
  
  12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSHn9:uiLJbpI7I2WhQqZ7H9
Score

10^/10

remcos remotehost discovery evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

remotehostremcos

behavioral1

remcosremotehostdiscoveryevasionpersistencerattrojan

behavioral2

remcosremotehostdiscoveryevasionpersistencerattrojan