remcos | 1d1c6bda17ebae5d6af1cc83de37f18ea006748098dc9da1681141409846103c | Triage

Sharing

General

Target

1d1c6bda17ebae5d6af1cc83de37f18ea006748098dc9da1681141409846103c.zip
Size

3.7MB
Sample

241113-ck71eaxqfk
MD5

5b3f8cbcb4245335cd692ac825995b93
SHA1

afa1a06111a094a1f8056088c84de65173a22972
SHA256

1d1c6bda17ebae5d6af1cc83de37f18ea006748098dc9da1681141409846103c
SHA512

9f083865835cc0c17a2eee3fdb509dc6eef61e8d9c2d82a616c87180916e3e4af5bd3f4916354d14f0e0fe9f405e4eb68013dc1faee6da6ac9dd7380d041e106
SSDEEP

98304:nYqONRRr3eQGQQjWoBuDaPB482iUxJPLCcN1h:Yq+Rr32zBU+BkJPLB1h

Score

10^/10

remcos new discovery rat

Malware Config

Extracted

Family

remcos

Botnet

New

C2

95.217.148.142:9004

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
SSS1ooosSAweewwe-X6B4E4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  setfsb/Creator.xls
- Size
  
  53KB
- MD5
  
  5d3c5f9fe4ca09cebc0386abf47031c0
- SHA1
  
  03bb80a37dee81c216f0925c7d6746538c1c0f49
- SHA256
  
  f10cc8c2807378b4e60b330011e50cb58a2cebc2763e51ebf0c3de8a8d96a1a4
- SHA512
  
  7b4e513f6803cbb532a6e106e9c9c29fbb2e0d836c2fb0472b3e8281501e776801569bbdd5a6668d9ba3c9070fb78ec059ba8fa79bbce54784c32c5fcf3f8082
- SSDEEP
  
  1536:PJTv0zKq8cMeXJFLUqOFN3bYmlL/rhclIN:lOKqYyFLU/FxbYmlL/rSlIN
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  setfsb/WinRing0.dll
- Size
  
  60KB
- MD5
  
  1f22425d5d2e3791699534b7b1a93fac
- SHA1
  
  fec060e4a75c963034cdbbeefa6e669465db2de3
- SHA256
  
  b906c9e82ccefeb2d620d232cb8d18ab98de383bb152cf75325ce3330de9bdd2
- SHA512
  
  25400b5cbfe38a438135f11e927805dcf57d015187cc2a2caf3e68a405c6418a685e347d136dc3299e856458b471a2a00eb722b6e45a9259a20323dc38fcb335
- SSDEEP
  
  768:HllLKd6z4NvfBF39wmbl6pQD4PLpt0j5nyq1yTtIJnp:nMfRFhYVt0j5n+tIJn
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  setfsb/WinRing0.sys
- Size
  
  14KB
- MD5
  
  f6a558724f631ba04cdabfeaf99f4b2e
- SHA1
  
  da86eb2b9224b9987770c167f9b81111da533c48
- SHA256
  
  ecf25b107475e1ceee90a208c677e29ccca26dc528fdffd0f728a71e6ec04c34
- SHA512
  
  125714286ae77f50fc74152a34ed4b0e387371520c6e55e8b17c489c71ff52bcb13b20b0186cff1a6c168a66c81af9e35585e42a91539c0ce805d194f8314ebc
- SSDEEP
  
  384:6aK/+pGKC8tSXM9H/SqPTWGYOf2OJ06dUb+:hLHrtfSJi
Score

1^/10
behavioral5 behavioral6
- Target
  
  setfsb/WinRing0x64.sys
- Size
  
  14KB
- MD5
  
  12cecc3c14160f32b21279c1a36b8338
- SHA1
  
  7fb52290883a6b69a96d480f2867643396727e83
- SHA256
  
  47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84
- SHA512
  
  a1a46f83fad9ea7f0f163e3636cf34345334e8bc84721b78e3cb9bd7fd83eab9d257f285337b95aeba1dbaab6b230219e2f1e4ca531a5220df6c0d5c2399297b
- SSDEEP
  
  192:FWfBBN1v4FSqzT9oGYJh1wAoxhSF6OOoe068jSJUbueq16lGPtP:IbN1v4FSqzTWGYOf2OJ06dUb+8l
Score

1^/10
behavioral7 behavioral8
- Target
  
  setfsb/setfsb.exe
- Size
  
  3.0MB
- MD5
  
  3cd8c8422b497b7767c17be00a3617c9
- SHA1
  
  295b9ec152b097b10c9bdcf152c4694d73d6921c
- SHA256
  
  8b950c17cd699378034ef7fbf61cf7ecedebbb831ef7bfc3b8e2f139bfa35e06
- SHA512
  
  438bcb6738356a6ac7ff61a6a1c0980e291b9b08ca81417398cc69e40d71ec7c1dba0861ec72e0c74ff2a2bd33ccbcf58d59756c3dd67fb9ef43fd8d9ef598fe
- SSDEEP
  
  49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338K:t92bz2Eb6pd7B6bAGx7n333l
Score

10^/10

remcos new discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

remcosnewdiscoveryrat

behavioral10

remcosnewdiscoveryrat