remcos

General

Target

0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
Size

466KB
Sample

241109-cj8kjsvemp
MD5

23350a33531966fa6a0cf02f9c27f053
SHA1

1f53024c59b6b65fcf032bd5bb69cedbdcc67dfa
SHA256

0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d
SHA512

b6f8bbbbc5bf9b4d982bdab369513b5667835aa6660678917c259b599d563c7ad2d8f5233e4c62d962523393d8faa51087e3696fa72cabbde81ec1a39d3adfac
SSDEEP

12288:JuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDS57G+DY:809AfNIEYsunZvZ19ZiGs

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

R2411

C2

cc.shinrarigs.com:2404

45.32.129.178:2404

Attributes

audio_folder
MicRecords (em inglês)
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
BraveSharedUpdater.exe
copy_folder
BraveShared
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
BravePrivate
mouse_option
false
mutex
Brv-Q0EV0O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de tela
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d.exe
- Size
  
  466KB
- MD5
  
  23350a33531966fa6a0cf02f9c27f053
- SHA1
  
  1f53024c59b6b65fcf032bd5bb69cedbdcc67dfa
- SHA256
  
  0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d
- SHA512
  
  b6f8bbbbc5bf9b4d982bdab369513b5667835aa6660678917c259b599d563c7ad2d8f5233e4c62d962523393d8faa51087e3696fa72cabbde81ec1a39d3adfac
- SSDEEP
  
  12288:JuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDS57G+DY:809AfNIEYsunZvZ19ZiGs
Score

10^/10

remcos r2411 defense_evasion discovery evasion execution impact persistence ransomware rat trojan
- Modifies Windows Defender notification settings
  evasion trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2