remcos | e791665f9df5d4bef5c9b73cecbdf0ee973e41fba533b8dd76d4c60e5b19d2d1 | Triage

Sharing

General

Target

9d246f5e01f060fe08c2f15d4e8a58e0.exe
Size

1.0MB
Sample

241106-rtkzka1lex
MD5

9d246f5e01f060fe08c2f15d4e8a58e0
SHA1

0638b06d7bb8677324a41f35515168f3e3d08f2e
SHA256

e791665f9df5d4bef5c9b73cecbdf0ee973e41fba533b8dd76d4c60e5b19d2d1
SHA512

1e7a2c9cfa792e8cd8bfcd49600c28f3892b44d96a92c502808d87d1542c9558e1e0d8594f542fff03b25d341cf00c9a27e7364d8ffec45344fa6a7e4f4e031c
SSDEEP

24576:RICXwSqZVrMrldw2KP7G3dhzEH4RiIaot1mw:OHSmrSPw2BdWH4RiRot19

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

66.63.162.79:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1CY96M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  9d246f5e01f060fe08c2f15d4e8a58e0.exe
- Size
  
  1.0MB
- MD5
  
  9d246f5e01f060fe08c2f15d4e8a58e0
- SHA1
  
  0638b06d7bb8677324a41f35515168f3e3d08f2e
- SHA256
  
  e791665f9df5d4bef5c9b73cecbdf0ee973e41fba533b8dd76d4c60e5b19d2d1
- SHA512
  
  1e7a2c9cfa792e8cd8bfcd49600c28f3892b44d96a92c502808d87d1542c9558e1e0d8594f542fff03b25d341cf00c9a27e7364d8ffec45344fa6a7e4f4e031c
- SSDEEP
  
  24576:RICXwSqZVrMrldw2KP7G3dhzEH4RiIaot1mw:OHSmrSPw2BdWH4RiRot19
Score

10^/10

discovery execution remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosremotehostdiscoveryexecutionpersistencerat