remcos | d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613 | Triage

Sharing

General

Target

8017e41b2c71f66ee834d21728a4160b_JaffaCakes118
Size

1002KB
Sample

241030-v3pkwsxkct
MD5

8017e41b2c71f66ee834d21728a4160b
SHA1

cb8019c2aa21d17daf49f1a9a23e13281b8f4ac8
SHA256

d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613
SHA512

08ed4d7ef49248bca16a6ceff5ee2ae5acdb0f3b91b8fd6ffbf8bdcf2f90c5000e6fced84eb82dd9e94d5b358d27552526ce6a0d3896168251f4c7b88789ca03
SSDEEP

24576:J7oP3LsrNZqTcIPBz8xAOZmuaWdEIwjS/1aOaxys:loTYqAIPBz8xASvaWt4Q1c

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHost

C2

www.ommi-it.com:8760

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
chase-0PUA4L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  8017e41b2c71f66ee834d21728a4160b_JaffaCakes118
- Size
  
  1002KB
- MD5
  
  8017e41b2c71f66ee834d21728a4160b
- SHA1
  
  cb8019c2aa21d17daf49f1a9a23e13281b8f4ac8
- SHA256
  
  d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613
- SHA512
  
  08ed4d7ef49248bca16a6ceff5ee2ae5acdb0f3b91b8fd6ffbf8bdcf2f90c5000e6fced84eb82dd9e94d5b358d27552526ce6a0d3896168251f4c7b88789ca03
- SSDEEP
  
  24576:J7oP3LsrNZqTcIPBz8xAOZmuaWdEIwjS/1aOaxys:loTYqAIPBz8xASvaWt4Q1c
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryrat

behavioral2