remcos | c324d8aa339bbc15ff74f96404837d280c91acd405f40e5cc6a4332945a87129 | Triage

Sharing

General

Target

21102024_1618_20102024_IMG465244247443 CAIRO OFFER Opmagasiner.7z
Size

4KB
Sample

241021-tsbevayepd
MD5

7c6049f5f8c18b6089eb488357b4ff5b
SHA1

6fdee952e5669addb2893883a5f70cc7fbf75f5d
SHA256

c324d8aa339bbc15ff74f96404837d280c91acd405f40e5cc6a4332945a87129
SHA512

52cd509013e1648cbba471fd8b680780f82d3fa2ee9a0a2f5ed76bc7ea047e6159a9ab9afb7571b90df01319623487b04923fab38925fa56178a129fa54894d2
SSDEEP

96:ZSLhL0XjBmfj+IXV99moxvYafU5iNmYzNZpPeiZQUeLPa8l:qhL0XjBmfdgouOEi/x72iGU6P9l

Score

10^/10

remcos miss chy discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TXCR8B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  IMG465244247443 CAIRO OFFER Opmagasiner.cmd
- Size
  
  5KB
- MD5
  
  d4a5745ec008932bec834b981d31bd8f
- SHA1
  
  c57e44498a52b6aa60e55c19a16cb026104fa19c
- SHA256
  
  40b46bae5cca53c55f7b7f941b0a02aeb5ef5150d9eff7258c48f92de5435216
- SHA512
  
  7de89b88dbba6d2310ef79bad8bc6c82ec12b0e8c0abfc0229f3ca4765606c1c2f342cd996d63882e7e0aab4fd1f3d15d016108831e286d7e3aa26e09aef454f
- SSDEEP
  
  96:zX+gBYcM44kNPsQa/+2bBRpgccIgEyHa9a6ONt/3nU56D+9EFA/W8v8OS7x+LSKv:T+gKc2k6Qa/cJJNd3n3wR+B1Kv
Score

10^/10

remcos miss chy discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosmiss chydiscoveryexecutionpersistencerat

behavioral2

remcosmiss chydiscoveryexecutionpersistencerat