remcos | 23af27b9003be7ccc30770282b14f25ee2acf332cbf721cdc0cd53e49a271b47 | Triage

Sharing

General

Target

23af27b9003be7ccc30770282b14f25ee2acf332cbf721cdc0cd53e49a271b47.hta
Size

130KB
Sample

241024-blgn6szemk
MD5

3df306ba89fd6f22237a3622e57292bf
SHA1

7db9dc242d1688a289b9351b495b4005f8f8fa44
SHA256

23af27b9003be7ccc30770282b14f25ee2acf332cbf721cdc0cd53e49a271b47
SHA512

2cf927232740f533d647c4fcaabfe5e9a04a25d209f0318cdbfbdc3b86bacc2fcad8c6886671c2fbc9bc6b70b68000572bcdb187fc1e2f146ee4f2e94c32dfc7
SSDEEP

48:7oagpd7Ah23j0u+leM6DXZFleM6NnRWeehHkCibpy2bFn72lHtqelgbpFadZ9lem:Eam7X+IdDX3IdmEFjbFHbC9IdUec7T

Score

10^/10

remcos remotehost defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

remcos

Botnet

RemoteHost

C2

newaddressrmc.duckdns.org:14645

107.175.130.20:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-JSXALL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  23af27b9003be7ccc30770282b14f25ee2acf332cbf721cdc0cd53e49a271b47.hta
- Size
  
  130KB
- MD5
  
  3df306ba89fd6f22237a3622e57292bf
- SHA1
  
  7db9dc242d1688a289b9351b495b4005f8f8fa44
- SHA256
  
  23af27b9003be7ccc30770282b14f25ee2acf332cbf721cdc0cd53e49a271b47
- SHA512
  
  2cf927232740f533d647c4fcaabfe5e9a04a25d209f0318cdbfbdc3b86bacc2fcad8c6886671c2fbc9bc6b70b68000572bcdb187fc1e2f146ee4f2e94c32dfc7
- SSDEEP
  
  48:7oagpd7Ah23j0u+leM6DXZFleM6NnRWeehHkCibpy2bFn72lHtqelgbpFadZ9lem:Eam7X+IdDX3IdmEFjbFHbC9IdUec7T
Score

10^/10

defense_evasion discovery execution remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Evasion via Device Credential Deployment
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

remcosremotehostdefense_evasiondiscoveryexecutionrat