remcos | e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3 | Triage

Sharing

General

Target

e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3.bat
Size

5KB
Sample

241023-cbqd1awaqe
MD5

e6e618c4354c26c555872d5398a72086
SHA1

76cddb6019c5d76a96de461a85742d766feebca8
SHA256

e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3
SHA512

0251b7c4f32ad218628d5e71bd80f909e4c124420e47e434b622e280253189e615206d6f6846ac63d66af14500054f38b15f473f5725b541c6921c03e23fea87
SSDEEP

96:/ZAmDvLJYo/4xtgIYzTSWteyhFeeOFXsQOEPoxFft7K3/XG3gWTE:amDzafszOaNCXPOkYjKPQgWI

Score

10^/10

remcos miss chy discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TXCR8B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3.bat
- Size
  
  5KB
- MD5
  
  e6e618c4354c26c555872d5398a72086
- SHA1
  
  76cddb6019c5d76a96de461a85742d766feebca8
- SHA256
  
  e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3
- SHA512
  
  0251b7c4f32ad218628d5e71bd80f909e4c124420e47e434b622e280253189e615206d6f6846ac63d66af14500054f38b15f473f5725b541c6921c03e23fea87
- SSDEEP
  
  96:/ZAmDvLJYo/4xtgIYzTSWteyhFeeOFXsQOEPoxFft7K3/XG3gWTE:amDzafszOaNCXPOkYjKPQgWI
Score

10^/10

remcos miss chy discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Adds Run key to start application
  persistence
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Network Share Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosmiss chydiscoveryexecutionpersistencerat

behavioral2

remcosmiss chydiscoveryexecutionpersistencerat