remcos

Sharing

Copy URL

Twitter E-mail

General

Target

03e7cb9e6bdcc56672d4f02c05669f5b8c64d3b90dc8a25bb3fb4e3de38f2aca.zip
Size

7.2MB
Sample

241113-cggdaatmht
MD5

cb30d40bd9b9ae3e5be41936dbc12f95
SHA1

629dee5a20174febe30615c580ef9cb866602be9
SHA256

03e7cb9e6bdcc56672d4f02c05669f5b8c64d3b90dc8a25bb3fb4e3de38f2aca
SHA512

e4dab3852f2912d157d8662b9b15bc1bd16e8df4b33acac2624ed50b0639bfd6d4a30ecd5ae6cef56bc74fd4edeb2884511cdc71ce55f2191679ddc04f551c3a
SSDEEP

196608:8ewTGsyWN7e5ianPqlwbH5OTeXZkJPLB14F0:8NN7IC450eJkJPdw0

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

New

95.217.148.142:9004

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
SSS1ooosSAweewwe-X6B4E4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  clocktuner-ryzen-2-1/Bunifu.Core.dll
- Size
  
  2.5MB
- MD5
  
  dcacfb0ab40b494d73b03f91ed14eb01
- SHA1
  
  3a3824efd331dd171330cc77f38f19a90fbc3b20
- SHA256
  
  9677dd2e6c1379fb49465a6516031d0f6f85384c31a2219627b91e72043cea19
- SHA512
  
  873d151cd87e10d8563ab6e216641a636e60f7a296a5f4d8c113558fe7e613d10fc68f002d8eef6d62110d9ca38de8a94a9e5ce7acb3ded52ee832a39d361653
- SSDEEP
  
  49152:uoPhUtlmFWxD7fV1Pcumf30i+3y7mGxCiRWn5XPi:ucCc3J+3y7mGgiy5/i
Score

1^/10
behavioral1 behavioral2
- Target
  
  clocktuner-ryzen-2-1/Bunifu.UI.WinForms.BunifuButton.dll
- Size
  
  118KB
- MD5
  
  e5084eefa8fcd0e266c606e9407e45fb
- SHA1
  
  ff091d68e16d44a31d7cdb12c80921d1ed24ff06
- SHA256
  
  ca81fd4385f0673b2564f1585ef41678986ff16ca84e07a97dc66924aecd2e2d
- SHA512
  
  e1ab7f812971baf769850e13a5e699fafd291583785891fd47f1c6a878feaeef1f359362544accc9c2c563b747e751c740fd36f1796dcfa5c33b7ba7e068728a
- SSDEEP
  
  1536:7CSEkSu8fMUGjnWFsGHsuyqyKVJb13oeLoREl6MBrW5Fff684sz3VHGcskZC2XBF:7u3lyBVQfvNFUSeQkGdDf7tJ0vQmJv/
Score

1^/10
behavioral3 behavioral4
- Target
  
  clocktuner-ryzen-2-1/Bunifu.UI.WinForms.BunifuDropdown.dll
- Size
  
  51KB
- MD5
  
  93372bcab68ecf5116b8f48456d27421
- SHA1
  
  5594bf17f70f255f3d4ed219772270c34d8cbc9c
- SHA256
  
  afc3abab66b50a98988b46c8226174debc963762fc6eb1506006c66733024431
- SHA512
  
  2f4da9d8223093116bd5c8e4132d6138af47a712623ff2d52c68296424e6a8aecd107cd636827765d32fe2ec9becdcdbff9f9a0db752241c0f7c81948948fbbb
- SSDEEP
  
  768:AqZAZxZAZiZqbu0fR64nhEBiGKFKyP1/xkWzV85LwLGZl/3NPKgO:Nu0fRTnhE8GKTt/BVSLWWh3tM
Score

1^/10
behavioral5 behavioral6
- Target
  
  clocktuner-ryzen-2-1/Bunifu.UI.WinForms.BunifuFormDock.dll
- Size
  
  166KB
- MD5
  
  0941cd33a56543e098074253ebb3506f
- SHA1
  
  ca5cc60a03611c824490108f3daf2a74e4dfe88c
- SHA256
  
  dc5f1c6c29adc2605f5972e76b65e008c1cb8e8507e6403afee6e86f9ea047eb
- SHA512
  
  e9b42a4c0e5e99735594f3db45b6817113937485424a98e850733ce751b1888fb142765f15ca498240910cbd3edf30122d561814c3a9b6344be6d7c6efc8046f
- SSDEEP
  
  3072:4xfaVIsa2msK6CACcjy2uGHJOhPMaImuZV150BiNsvIEu:SfaVjUSy2mPMbvvWWsvIB
Score

1^/10
behavioral7 behavioral8
- Target
  
  clocktuner-ryzen-2-1/Bunifu.UI.WinForms.BunifuPages.dll
- Size
  
  112KB
- MD5
  
  93dfb2323d6db403e61ccede5d8aafd4
- SHA1
  
  44fe2db781a284282bddb671a658cd895d0ce03d
- SHA256
  
  9d78aed10bd895f4c10c70813591ee78a66a02f196a9da626e19c2802604065f
- SHA512
  
  fdbd81f757fad2afb102bcd03149fe5344579c34e3efa66bf419ee5bb0f2a582f8241ba6a3b447fdb40f6b94d4c14dcc87d65503b3a793f00c19ada95b9656a2
- SSDEEP
  
  1536:GZo9k6eLXko+SXalVDNrPGXWbPqajjB7IWOD9cHg5mzNDKneTr:yuXdPSq3rOGbPqSjtIVcHg5wNP
Score

1^/10
behavioral10 behavioral9
- Target
  
  clocktuner-ryzen-2-1/Bunifu.UI.WinForms.BunifuTextbox.dll
- Size
  
  125KB
- MD5
  
  5243edcb89897430bea7290fa72c2833
- SHA1
  
  1850352e74c59cf1bd25508f4fa541f3eafa15f2
- SHA256
  
  e8e6d70a2873329baa3743bfd670c4d0f1280d0747d4775edb234a9f63495fac
- SHA512
  
  18723f16e91e6349743e253aa6cfba5a2b82e8e2121e9332a50d9cf128aaa8c5069669ed8d1d3f00964548886ece6a3a96c35b114d0914ab43b7291203054d56
- SSDEEP
  
  1536:a+nLyAIpw0SxLkTh8NJDAoB99999ccZykNOPodZ8ZD1VRzbgmvBVQ:agBRX5kTG9B99999kXPoQp1VLDQ
Score

1^/10
behavioral11 behavioral12
- Target
  
  clocktuner-ryzen-2-1/Bunifu.UI.WinForms.BunifuToolTip.dll
- Size
  
  728KB
- MD5
  
  244a67faaeb2aaa8e37c0301b56b1b8d
- SHA1
  
  092288dfed9b731d4eafa644ec558f6903a21ba0
- SHA256
  
  edf229afe2929d2cb5c4877a14e824359653bac7d5956a70ce9c7a936c983c88
- SHA512
  
  8978249c0dace46608f37961f9ef9ee8b50ec3247686eceac874d62cc266f7ccf3939a2b5b5093e9ac663af1df0f1c054d5a9ce71d19c912d458f88a010617d9
- SSDEEP
  
  12288:cG4AUvxSIdJR1HjewpCZuneTc+ys+kr5u16X8e1t9:OyYEVrsmt9
Score

1^/10
behavioral13 behavioral14
- Target
  
  clocktuner-ryzen-2-1/Bunifu.UI.WinForms.ToggleSwitch.dll
- Size
  
  42KB
- MD5
  
  0a99c8e867be186f3af9b422d533e447
- SHA1
  
  8e15da8ded1f9b67c3ddea36f161670de409f772
- SHA256
  
  423d34e34c14a61fae851b5c902897bf83753ab7cdd8c8f1fd15f59f3f80a386
- SHA512
  
  6335309f69e2ee0c9a960393079217bd759d065603956bc1f7deb0743c5fd72772914688694005a2245d0f1dfea42af8f0a1783ed0797fcffd87afda8cc28426
- SSDEEP
  
  384:7NCTsFDJI3HZTflsMDKqVX0vwLMLyTIIugghBlJzrAbdsQ8LtsOHeDr7tePZSZRU:7EEu216XGPcCJzr8dsQNCeLteXPKgRb
Score

1^/10
behavioral15 behavioral16
- Target
  
  clocktuner-ryzen-2-1/Bunifu_UI_v1.5.3.dll
- Size
  
  390KB
- MD5
  
  441527aa29607afd38fbc4a322304798
- SHA1
  
  57a409e77ded4682e263c47695e4c38489ccc05d
- SHA256
  
  d7f3b0a3c954ff6c2e62396a76354afb9102eac75f771479b388bacf399a453b
- SHA512
  
  42f4ae65d07ddc76fda8b02a97c3908d4c64ae8b25767094f863b5f9c11b073cdbd4b9f56bc5968ac92daec343568291d7d39b4e478682f5157d5f6549cf8790
- SSDEEP
  
  6144:kjgVgVaGslPVCkyM9oNXebSTgzcH/Wi+RllW84y6EDa:M65X9opebfcHoGu61
Score

1^/10
behavioral17 behavioral18
- Target
  
  clocktuner-ryzen-2-1/CTR 2.1.exe
- Size
  
  3.0MB
- MD5
  
  ab76aea8f4d233ea72eddfccd0aa4393
- SHA1
  
  7348efc9021e679537573a3acef42b6861074987
- SHA256
  
  adaebae945e9ff06350d1be65406f8cc593bbeaab1d71f457183ef25de664aec
- SHA512
  
  194b0cf925c7eae1c81c88f5f39a2680a710218f5ca38ed71e150f4f5716493bcfd2da3a4ae056523f9de3aac12be432cbfe62d8b18baacaaac501ad6726fbf0
- SSDEEP
  
  49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338Z:t92bz2Eb6pd7B6bAGx7n333+
Score

10^/10

remcos new discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  clocktuner-ryzen-2-1/Microsoft.Win32.TaskScheduler.dll
- Size
  
  326KB
- MD5
  
  6faa5bc69ea08d067b6b454918af3f69
- SHA1
  
  8e5ea5cf270aef4331291805a3e96a8fdbca0dd2
- SHA256
  
  6928bf7bb271eacf64ed826b46597f73111867009720167c070e214488c4c445
- SHA512
  
  f98c7cc55746f562c4ed0896f51d351bfe1ed309f3f2b3722bd424f50cb76b99264667a8b951eece7e49e29fcb73053963ef47ca4268377d714f5e94937b5299
- SSDEEP
  
  3072:dtMKhElZngsl93KTJEiUfB8aD/uDMwnaE9IaKlay8geCy0J5DfwrxxYDpZjI732W:dtMKylNgY2Oi+v/oEsI+8b
Score

1^/10
behavioral21 behavioral22
- Target
  
  clocktuner-ryzen-2-1/libgmp-10.dll
- Size
  
  1.0MB
- MD5
  
  59dfe3c1a7a1932f2a4eaae5de2b2dd6
- SHA1
  
  875dd54d0d5a5bd37c892f9fc06a85f4ca45d8e5
- SHA256
  
  03e18f1d63a8748d5c4caba2d26bc87f9347c3d033d4674d14c43d4553bda912
- SHA512
  
  c62dfb6c12acadc22a9e92913192fda4ab7547ddae737af4ad9c1898fe8d8d3d86b4f94b2c04de400fc53e00fdda711ac8e01783c5eb8f0595af7a1497c3bb29
- SSDEEP
  
  12288:/ZELbkK8G1wIHwG/JtGXiL4U+KUiJl4pMN1HH4Fx69H2x/VG6VA2LF:h4ING1bKiHEwMMN1HH4Fx692x/Vq2LF
Score

1^/10
behavioral23 behavioral24
- Target
  
  clocktuner-ryzen-2-1/libhwloc-15.dll
- Size
  
  1.6MB
- MD5
  
  747e53c9fdbf420be7d5590a03d1f520
- SHA1
  
  a03bbcf8c29b5736dda09a8f78cc738b98a3e7a4
- SHA256
  
  ff84bb000de408b5a1d9e2584c2404c8772b648e0015b1ed9a6c375bbdf50b80
- SHA512
  
  fa7783be6b7cfe3c38425c7299e1cbf4ca877a53a39c6cbf4ca3dfa7cad014663b73e6a804afa6f6455fb8907cec0ae4dfbd4a8b13e2191aa70cf0ab5ae8f32b
- SSDEEP
  
  49152:PuSPN4HpUoP4233+T1MUfDkUWLrKYQN4iRTSZ2hqTW/rymLl0aYpckP1wlXdui:PuS2SoP4233+T1MUfDkUWLrKYQN4iRTB
Score

1^/10
behavioral25 behavioral26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26