remcos | 2e5a027c69c4689e63e3db83608d73bf1fc0e47e9aeea1b59f864545a98f9893 | Triage

Sharing

General

Target

2e5a027c69c4689e63e3db83608d73bf1fc0e47e9aeea1b59f864545a98f9893
Size

584KB
Sample

241021-ydnh3ssdkc
MD5

414ca4d8243096fc008b268ec4235f50
SHA1

7b81c2738b47d0004225af9dd546d66f9a0b35ee
SHA256

2e5a027c69c4689e63e3db83608d73bf1fc0e47e9aeea1b59f864545a98f9893
SHA512

d7d0652f3ea4c427f831dafee0d1203823c180515e3e3ec2c8185fe60b3752135a5f9998b6d10a068fcf65db16689a3ff53081da75484e80f4350c2ce6c441cb
SSDEEP

12288:SUcmEP2x0zk4h1U0Ses0CgwHRlG9Kd+czQze8jvEh0zP/4tHQJ7:SUcmDx0zRU0AgglG9KFCTzX4tHQJ7

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

newpage44.mywire.org:5010

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
skype.exe
copy_folder
skype
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GRUM7D
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  sample
- Size
  
  1.1MB
- MD5
  
  0b17bf78d7ca53d04fa8b4b3326bd1da
- SHA1
  
  09f3d099f31bc9b1a92ef1f4e2bed3ce70426311
- SHA256
  
  51dde1b287583c1f27658bf5083e30e967beef56b53e02921721b7be5b4338ca
- SHA512
  
  21431db469c3b3d788db925f0bf6bdb2b314618973dcaefbe528eae76003c5d74e329e40c3319a4ad24a5a031b9c71aa1ca8342595ed95cd1be9781fbcff66f8
- SSDEEP
  
  24576:G4kClmLnsvxDw4AlDEdDLA92mwlzKBKuxAw//w:G6m3EdDLA92tld0/w
Score

10^/10

remcos remotehost discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoverypersistencerat

behavioral2

remcosremotehostdiscoverypersistencerat