remcos | e25e7e373276c2ee56849be99f4a14a420fc85ad8d35ee13c2a3574524090af3 | Triage

Sharing

General

Target

8b1fcad83099e1daf3accdb39f68a0bd696b053aadc8472e9008fd027a390404.exe
Size

769KB
Sample

241110-w39rhavrbj
MD5

936079e96cd90d0029f53f772370a11d
SHA1

daeb253c32cdc076b4e42b8e51eda74ee9865639
SHA256

e25e7e373276c2ee56849be99f4a14a420fc85ad8d35ee13c2a3574524090af3
SHA512

4df164c42b1a09a6375438d13d04f5ee7a3fa0fc0aa43eb92dc602e1597fb28a31a3a62d99cce4d252fb2e88aa98cd29413073f1613630d8d86870d95f027361
SSDEEP

24576:SMwhYwlRZjfxAyExC8Zx0PARxFWfcFqal/F4X5ZiN:SMwhNlR5xAFZq+WfQiX5u

Score

10^/10

remcos .9.24 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

.9.24

C2

moniepont.dynamic-dns.net:3791

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BPYLMJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  8b1fcad83099e1daf3accdb39f68a0bd696b053aadc8472e9008fd027a390404.exe
- Size
  
  769KB
- MD5
  
  936079e96cd90d0029f53f772370a11d
- SHA1
  
  daeb253c32cdc076b4e42b8e51eda74ee9865639
- SHA256
  
  e25e7e373276c2ee56849be99f4a14a420fc85ad8d35ee13c2a3574524090af3
- SHA512
  
  4df164c42b1a09a6375438d13d04f5ee7a3fa0fc0aa43eb92dc602e1597fb28a31a3a62d99cce4d252fb2e88aa98cd29413073f1613630d8d86870d95f027361
- SSDEEP
  
  24576:SMwhYwlRZjfxAyExC8Zx0PARxFWfcFqal/F4X5ZiN:SMwhNlR5xAFZq+WfQiX5u
Score

10^/10

discovery execution remcos .9.24 rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcos.9.24discoveryexecutionrat