remcos | 236a755fd21fa7c19316ad4bf54494d3d700d3a10acfd201e0efae3f7c599ad9 | Triage

Sharing

General

Target

21102024_1633_21102024_IMGROFacturinepltite56773567583658567835244234Bandido.7z
Size

10KB
Sample

241021-va6zga1dqp
MD5

7422dbb5728f12b93d66dea51ce23855
SHA1

5de0d603ba297f6a637d5386b2012f765978d8ef
SHA256

236a755fd21fa7c19316ad4bf54494d3d700d3a10acfd201e0efae3f7c599ad9
SHA512

ddeb0d3f5fa083768c81d00159d7c60558f893f1e343c1d126e731283ef5f0a9706c97d3bc5c1fcb8033f44fec3d71a723df1155421894df9c3ace49f9c20b23
SSDEEP

192:0LR+CziHgBSXFr5UrKfX+me5/J+WmQQk+s9Ii0b0YKeOUotmpTs:cjEgmrSGfOmedJ+AQ+SF0YKDtSTs

Score

10^/10

remcos miss chy discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TXCR8B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  IMGRO Facturi neplătite 56773567583658567835244234Bandido.vbs
- Size
  
  28KB
- MD5
  
  a8da570deac5f16a0050802c0da5d7dd
- SHA1
  
  9d8992e3770e41d8a431350e1cef73492dc240ea
- SHA256
  
  c51c0afd1207879df1f42ac10c7c0bca5397c6b461a6423dbe58b091dc659e6d
- SHA512
  
  7731d4d019eb8e3cfa5e2e5d5802e4033cf289134c15c3a237bcfd7559ab964265b82b825b65451a21703f441619081b9be46767923fb7f662aa12a86e997730
- SSDEEP
  
  384:XrCiU16HKM4O+pbHLipRBP1Mv4Uwz+3S0KLV5Zsk+PNngq:Xen6HspbH2xdoftaV5Ck4N7
Score

10^/10

remcos miss chy discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosmiss chydiscoveryexecutionpersistencerat

behavioral2

discoveryexecutionpersistence