remcos

Sharing

Copy URL

Twitter E-mail

General

Target

f5277278370d2ba066b6c402183d0c4204a6367a6f92ef261e18b1c40484b92c
Size

26.9MB
Sample

241105-yerbcsxhnm
MD5

855e25a274f844b9fe79906e4545f730
SHA1

1ede14afd3308583422e1cf517452033b0989c27
SHA256

f5277278370d2ba066b6c402183d0c4204a6367a6f92ef261e18b1c40484b92c
SHA512

38347cef497b8eb347392f21d4cbf76cf06d68dc45e997777b02e1c3ba52abf053c5646498bfbe11f9c6a3ba8009c3adbfce1a524369f77f186cf771e57732a9
SSDEEP

786432:qP/oDC7GLcjzhjzAROLJAggC6fr5DuHL1SdBgL7mO:qbGSzJzAYLJ9g6LPZ

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

hopa

178.20.44.131:2405

my.bingoroll20.net:2405

my.bingoroll19.net:2405

my.bingoroll18.net:2405

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
winmap.exe
copy_folder
winmap
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
pidron-PXIKI2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
winmap
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

178.20.44.131:2406

new.bingoroll20.net:2406

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
winerar.exe
copy_folder
Winerar
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
pidronic-2CGLP3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  027f61e8861f743bf8e8cb0ca2ea5de056790cffed76d375e5e84f6575bc7ff6
- Size
  
  2.8MB
- MD5
  
  45f06e05ee29b52bbaad37c5cdeadc18
- SHA1
  
  4a146193a9705565694f4d9a0894d49672c8e74c
- SHA256
  
  027f61e8861f743bf8e8cb0ca2ea5de056790cffed76d375e5e84f6575bc7ff6
- SHA512
  
  fe7fc8522f36942e7a6a4e3b8897a41e6de58432353325f7eb7ec0767ed7d1bd1624f3cd176c2b07a62ff87c0f20fe623b95fcda330344d6ea56b372863e6d8a
- SSDEEP
  
  49152:nQ+gwLSXSrhe6GCiYcRHXePEdjK1Q1CjAS1LC8FkruizcmhkT6ZFQzKF3AS:Qll4mKbjAS1vkqFwkT6ZFTF3A
Score

10^/10

remcos hopa discovery evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  1bd73cc068f858e99861b797860bc4aeeb5b339ad92dcbc17d934d090f06d520
- Size
  
  459KB
- MD5
  
  5baa9bb599abb45d2ae3eb2be49c229a
- SHA1
  
  74e470299380176e56fc343235215bede4d820fa
- SHA256
  
  1bd73cc068f858e99861b797860bc4aeeb5b339ad92dcbc17d934d090f06d520
- SHA512
  
  66cf73331ed2c974c7fc2858e40cad2e8ca5289036495ce83fbf1fde6509bb424e66623145db56c8392ed8630082a17bedce09e7fa05fdd91f6edf030a6c009b
- SSDEEP
  
  6144:6a4YiP1U/VOKRUz7mxE3oEhxv2gYnCLrbLM9iHul+jZ5mv9Qoj8lAOZZlvXI2FEW:6a4RU/U3AVE2gNrY9iH8+1YMfZlAOeG
Score

10^/10

remcos hopa discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  499a3eb429ceb358c7a3433fb11bee99f32f0c443444eb0001e405da42c75c30
- Size
  
  7.0MB
- MD5
  
  7a19350f3a8334d05f76a744d4826961
- SHA1
  
  80477356a2774fe24215212ba4f465427ee52bec
- SHA256
  
  499a3eb429ceb358c7a3433fb11bee99f32f0c443444eb0001e405da42c75c30
- SHA512
  
  8f469d8e3211b0c8748ae9e8d8418ba0a1f905e6b22f7557c1bfb0a08d8502da8cad71cf4f01f264ece1ab51072f557c115ab2c0d2e74104d8903894f1e89a3c
- SSDEEP
  
  49152:VccB2kUSY+5zvCHT6xX379ZO3LEHe3Rh4mkR1I2j0iU50AX79UA7DPrFB2Sd:a7kDeEGh4mkHj5l079UA7vFB26
Score

10^/10

remcos hopa discovery evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5
- Size
  
  1.7MB
- MD5
  
  e11163415bb29e335c39e3e0cdd31236
- SHA1
  
  20a78eb7af384a9a8c3ed5e75719be5f15b13bb0
- SHA256
  
  50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5
- SHA512
  
  bbb6ad1793ff1e9978d7cfb961e37df849fd717888b3fdeb3ddea11122f53aa7a15440d3ba32b3f1fe437c99917dbd7fd9a8fcde78fbec846e1cd2e4127ff46c
- SSDEEP
  
  49152:TBElfECiDlVyH97018dX6GUuKgDm47Sf0i18UjnFqT2OlapPme6dxBsPAp6yBjmi:cvtYxjAsw
Score

10^/10

remcos hopa discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  8e2e5cfb4dc796e89cc792fbae884061b87c18494afa7dec02c92e5d46bd990b
- Size
  
  459KB
- MD5
  
  033b66b0c1a4f974258641e792de5dfc
- SHA1
  
  20f08d93900e5444d3d224a67680090445847a57
- SHA256
  
  8e2e5cfb4dc796e89cc792fbae884061b87c18494afa7dec02c92e5d46bd990b
- SHA512
  
  f5914c06f3c3ebdd1455fd09cebdc9b09a78b39f4bfbbe333e219b973abd6ac52076638ef701354dec7a3da75dceedf174759c1d63cb9aa21734d833d90cdc2d
- SSDEEP
  
  6144:aa4YiP1U/VOKRUz7mxE3oEhxv2gYnCLrbLM9iHul+jZ5mv9Qoj8lAOZZlvXI2FEF:aa4RU/U3AVE2gNrY9iH8+1YMfZlAjeG
Score

10^/10

remcos remotehost discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  91d6dddfa68f96245158774050287c2ffbf2510e198d27a770075f8e7663113a
- Size
  
  2.9MB
- MD5
  
  ce7e522f9753644aee237e9b5fa09801
- SHA1
  
  cf2816e57625fce419adb103df8a067ec614f815
- SHA256
  
  91d6dddfa68f96245158774050287c2ffbf2510e198d27a770075f8e7663113a
- SHA512
  
  e0094aed3d54fa465ae47043ab07dba82581b7335f5a87737513bbb0ff452421a22a2a3bd61d5ab65ed71eba8b9ea534cba81ec3fa854d5b384cd78ab08e04f1
- SSDEEP
  
  49152:SjvWwB+2bYER5CxQMk2R47S8p0a4vFL3GrszVZL9XoipAq6HJ:Siw8wYER5CxN4v+2AzV7ZpXcJ
Score

7^/10

discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  $PLUGINSDIR/ExecCmd.dll
- Size
  
  4KB
- MD5
  
  b9380b0bea8854fd9f93cc1fda0dfeac
- SHA1
  
  edb8d58074e098f7b5f0d158abedc7fc53638618
- SHA256
  
  1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
- SHA512
  
  45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
- SSDEEP
  
  48:ifXNtGNjFizsU35iej7luiwa28mDJmDKUOMQH0glay/Aa4r/:5Fef5iej5txKJKenlV4r/
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  34442e1e0c2870341df55e1b7b3cccdc
- SHA1
  
  99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
- SHA256
  
  269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
- SHA512
  
  4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51
- SSDEEP
  
  192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  602d953c391a05d2be162a661962c598
- SHA1
  
  794b83002517dca3a017337946d39df55646e3e0
- SHA256
  
  e664756ea6bfb01787ee6dfe299f1e1cc52b0453759771124c9359cb3cf79cb4
- SHA512
  
  f376662cb07cb5b5ca0e2261a810f2ddabe82843464857ecedf1413949492adbabaf5df73b77f9ab8dc8f59e960298ab6576c6f50622252368e4be4b587c7c2c
- SSDEEP
  
  96:orDlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx4b8qndYv0PLE:orp34z/x3sREskpxUdO0PLE
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  $PLUGINSDIR/nsis7z.dll
- Size
  
  436KB
- MD5
  
  d7778720208a94e2049972fb7a1e0637
- SHA1
  
  080d607b10f93c839ec3f07faec3548bb78ac4dc
- SHA256
  
  98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e
- SHA512
  
  98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b
- SSDEEP
  
  6144:VQ+kwWa/1NfQWLv6rGnrpJJ7OELbg8reLy2dbJUa4xk+N9/2itUirbeaY:VvW0tLBp1cIeOwJL4xT/F5bY
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  cac980acc37ac70069524ddfb9f266bf1989c76a251463b7e14f0e33dfec02ac
- Size
  
  2.9MB
- MD5
  
  4e933e5c41b9f9b329fd7a7f98cdf162
- SHA1
  
  8c4b478b30744b2d35f4944c6cf2f64c6f77c077
- SHA256
  
  cac980acc37ac70069524ddfb9f266bf1989c76a251463b7e14f0e33dfec02ac
- SHA512
  
  a0eefdd7cc45fd3c4966988bf9acfb005b1c221424c7c69b0636507b3fed871fe06c257c90173c03b90368a6505e408871eafacb94951bc109eb78f3e4a53eed
- SSDEEP
  
  49152:DjvWwel6be7FSr8fu3nHeN76kOITgbIUOlNvph+vbNnYLX1HwkG54zF:DiwY6be7gPnc6kxTxUGNvpiN2X1HwkGK
Score

7^/10

discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral21 behavioral22
- Target
  
  $PLUGINSDIR/ExecCmd.dll
- Size
  
  4KB
- MD5
  
  b9380b0bea8854fd9f93cc1fda0dfeac
- SHA1
  
  edb8d58074e098f7b5f0d158abedc7fc53638618
- SHA256
  
  1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
- SHA512
  
  45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
- SSDEEP
  
  48:ifXNtGNjFizsU35iej7luiwa28mDJmDKUOMQH0glay/Aa4r/:5Fef5iej5txKJKenlV4r/
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  34442e1e0c2870341df55e1b7b3cccdc
- SHA1
  
  99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
- SHA256
  
  269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
- SHA512
  
  4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51
- SSDEEP
  
  192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  $PLUGINSDIR/WndSubclass.dll
- Size
  
  3KB
- MD5
  
  2a0c44144e261987ec40adf991535ae0
- SHA1
  
  7a5bc7c897d3e89a2b231740ae61b9574fb1d3e1
- SHA256
  
  cfcf2f3dd8f1e58c0b3d8279eb9ec2a1dafb297b2f8cce90f4951f3d4a311af6
- SHA512
  
  f7b70e998974c42a160194b59c4d962d8ca99eb1cee07913a12b69efd836d21c614572114302e9b1cafdfb8391b9d03a1f38745139a47aa3d881ff5cb3a6f0db
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  $PLUGINSDIR/nsis7z.dll
- Size
  
  436KB
- MD5
  
  d7778720208a94e2049972fb7a1e0637
- SHA1
  
  080d607b10f93c839ec3f07faec3548bb78ac4dc
- SHA256
  
  98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e
- SHA512
  
  98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b
- SSDEEP
  
  6144:VQ+kwWa/1NfQWLv6rGnrpJJ7OELbg8reLy2dbJUa4xk+N9/2itUirbeaY:VvW0tLBp1cIeOwJL4xT/F5bY
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  d33cc2d538e6f8b0720a7fadf6b24b38ac9b3a1df516fa09feb24054d9cdd14c
- Size
  
  2.7MB
- MD5
  
  66f9efe6e6fa8b50e72b40ce1ab5ba7c
- SHA1
  
  f8be7ab0c0eb3b935479b7bdd706251044e03341
- SHA256
  
  d33cc2d538e6f8b0720a7fadf6b24b38ac9b3a1df516fa09feb24054d9cdd14c
- SHA512
  
  cbb8f2c8805f2559c040a9279b784fe0013e453a2bf8c0057ec7487fe41ae052fb81a44d5fe92ff186c24421f3aff54abc2d9506b92e35bd62089c4db7805e46
- SSDEEP
  
  49152:ajvWw6sB4o5Av4lM8NuSk3anyLeiiUCA7C4L8LyQZLU0k/4kOJ:aiwF35AvSM8N+3any63UCA7CU8rZI0ka
Score

7^/10

discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Remcos family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Adds policy Run key to start application

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Remcos

Remcos family

Adds policy Run key to start application

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Remcos

Remcos family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Adds policy Run key to start application

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Remcos

Remcos family

Adds policy Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Remcos

Remcos family

Adds policy Run key to start application

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3