remcos | b4b6159351045ef04f9ba6321722c1c1fd920eac7a3799665d2663775edfa84d | Triage

Sharing

General

Target

a59df37a0613dbed779ef63b1a36ecbf.exe
Size

1.0MB
Sample

241101-z413jaxkcp
MD5

a59df37a0613dbed779ef63b1a36ecbf
SHA1

4bb55b03b492e3b13ff0ae030af26701734b5cc1
SHA256

b4b6159351045ef04f9ba6321722c1c1fd920eac7a3799665d2663775edfa84d
SHA512

7d742e799de7254403760521821743902a9fb3f65d7961573cc4bdd3189037518daa3986696d15b5cf74ab17bbff7802c22e777dacb024cdfd2c27cb8a6fab46
SSDEEP

24576:crhVXoT8dOIzKDjU2x9TlneDSm+dndQiI3lzcRRN9wV:krMqm/UATReWm+ddQiI1YR

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

85.209.133.15:3310

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QFR1O5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  a59df37a0613dbed779ef63b1a36ecbf.exe
- Size
  
  1.0MB
- MD5
  
  a59df37a0613dbed779ef63b1a36ecbf
- SHA1
  
  4bb55b03b492e3b13ff0ae030af26701734b5cc1
- SHA256
  
  b4b6159351045ef04f9ba6321722c1c1fd920eac7a3799665d2663775edfa84d
- SHA512
  
  7d742e799de7254403760521821743902a9fb3f65d7961573cc4bdd3189037518daa3986696d15b5cf74ab17bbff7802c22e777dacb024cdfd2c27cb8a6fab46
- SSDEEP
  
  24576:crhVXoT8dOIzKDjU2x9TlneDSm+dndQiI3lzcRRN9wV:krMqm/UATReWm+ddQiI1YR
Score

10^/10

remcos remotehost discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionrat

behavioral2

remcosremotehostdiscoveryexecutionrat