remcos

Sharing

Copy URL

Twitter E-mail

General

Target

27b9c2bbe7d1d9a042707f2dffed11fec9f2bb9804a5255d02c68b5b975d071a.zip
Size

4.6MB
Sample

241113-cmhtasvcma
MD5

6dc57037be5a7040680508070b30f647
SHA1

c5abc1ee6447c3650eb0968516e19ed2b36d71be
SHA256

27b9c2bbe7d1d9a042707f2dffed11fec9f2bb9804a5255d02c68b5b975d071a
SHA512

6199d5fba099886e6877cb6585ce2d7155db7f0ff1e2c83741f6acd8e2eb9640c15210fdfde452f8869a98f4b854b86850b611f286afd9e14af394615be409c2
SSDEEP

98304:TI5m+6AWDoBoiPqB9S8x41UQKiZpO6+4Zm9UTjBWHmQJ75482iUxJPLCcN1x:TeH6AWcBoiPyS8GtKiZk6+4tTjoHfV5G

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

New

95.217.148.142:9004

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
SSS1ooosSAweewwe-X6B4E4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Ryzen DRAM Calculator 1.7.3/CCXLatency.exe
- Size
  
  291KB
- MD5
  
  d75e46ec2e00693d72d4a96dc8cc4701
- SHA1
  
  23f5f113eea09679eb53cb2c7af9ef88896288c5
- SHA256
  
  65118d781228b85d3c8833851be3c5eba5cbd5a34f804582fd76fac51f482792
- SHA512
  
  81cdf0235a3f7e47f1cf953c02437559aabb1433d39a717d49276401422a2a7f1f97fc598af6b05446ee2fb71d92e9d3ac50f9a29c0d9a5c38cdeff7a1dd2e3b
- SSDEEP
  
  6144:/yHMdsCSlm+iQZIpBLJ59XnUFBIkP35Wohjb/m:/s4rKiQZIvlvnUXP3cos
Score

1^/10
behavioral1 behavioral2
- Target
  
  Ryzen DRAM Calculator 1.7.3/HCIMemTestController.dll
- Size
  
  13KB
- MD5
  
  ea3e3a4e587bcc5cfeadba7bd222b1d5
- SHA1
  
  46edab1171c29efb7bf8705b480b4576a8ad3c88
- SHA256
  
  833d561b7e5b7b76c3b05a6a07499b7be2395fc78b45d0ffbfa1ad05c08a1259
- SHA512
  
  47f41d2eb97060ee54b3949a768df06a17e9be6682b952f720a3607557e7d040ae79e5615e0c43b8322c5636caba754406c8fdea2293fa2c4fccc8d1210f156c
- SSDEEP
  
  384:5zYUc9xatvS1XIJPbxbvbEOxAvMENojhyNLDpaGA+wi:aPCU1KbdvbuNbA+wi
Score

1^/10
behavioral3 behavioral4
- Target
  
  Ryzen DRAM Calculator 1.7.3/LineLatency.exe
- Size
  
  249KB
- MD5
  
  766f490f1e0b63f31cd46c39d2b70a71
- SHA1
  
  0db8688ae868abcfd18ae6b30363e4eb6475fd6c
- SHA256
  
  d1376b76b1d5e582604eacb09e666a973bb75fc03260adfa21fd11b534167cea
- SHA512
  
  7ab4ff66aca7fe2ebcd5be8ec026f6391973fffbd4dcd89e26e363e6737864de78f43898c2c6a8f5290a63a12e754be10b1e5c2d73a0ede72049d0b2b35fcf41
- SSDEEP
  
  6144:vL+jBkqJ+9iUPy/rditMjb9+oh0BvEaK:DGBkvidi4bUoF
Score

1^/10
behavioral5 behavioral6
- Target
  
  Ryzen DRAM Calculator 1.7.3/MemSpeed.exe
- Size
  
  335KB
- MD5
  
  428293382eb4398e06a06a32c1e1b502
- SHA1
  
  d8e4c1887a0b96381b273abb320af559dddc1c32
- SHA256
  
  2e71045bd826593c64509e7f572d163dfddc8f1f0bf79041b385f2da1c7809fd
- SHA512
  
  1adf6092307f9a60b893bfd046966f80b36ca62a86f0daf1a43aeaf6f1be7f492473b297e1c219c82f0f9b962a490452f8bc0cd83bebe846d09e42ccbd2cbda3
- SSDEEP
  
  6144:QhmZxdH5RwUGXEFDjS7UB4+SpvvN2xb5BlAN:zwpElWK4+KCbuN
Score

1^/10
behavioral7 behavioral8
- Target
  
  Ryzen DRAM Calculator 1.7.3/MetroFramework.dll
- Size
  
  149KB
- MD5
  
  44538b311e9ec2bcf0a6452702628d99
- SHA1
  
  da67301539903775708e9ec913654851e9e8eade
- SHA256
  
  baf326f52d39155d722465947f4cc67e6e90cfd0f89954eab959568e9bc342aa
- SHA512
  
  b65e3bc1c0f7b4c8f778cf52a36d628301d60aab53fdaf0355163e4865bc3d3adbf8870bb6cefc604708fdf2c0e72258eaf2fe301d524af2f77bc08014c9610a
- SSDEEP
  
  3072:LU0T+erz8jYxYg5lzrPHlMUzxXd4kRZPI9q:vT+erz8jYxYgv/lxXGWPS
Score

1^/10
behavioral10 behavioral9
- Target
  
  Ryzen DRAM Calculator 1.7.3/RandomLatency.exe
- Size
  
  142KB
- MD5
  
  8bb1a701b0520a7c2a89e99ee4d53516
- SHA1
  
  8d4497baa655860a722d5cf410c969d6843daaad
- SHA256
  
  7cc74169f83e9f272d8306e81aef05183961d08c3914c30556879e53f48604dd
- SHA512
  
  84bb8eb1638c35e0458bcdf722ace74943eb75fd1c59228399fb6cb8d0443ead8040e3d979ccb2fbda266aad24988cd227b937c3f0e7f093058856de983b84b5
- SSDEEP
  
  3072:H5HrzNhkCvmR5rgzof6H9XtvbFuF24iV9P8wl6:ZYCeR5CuMrvbr3
Score

1^/10
behavioral11 behavioral12
- Target
  
  Ryzen DRAM Calculator 1.7.3/Ryzen DRAM Calculator 1.7.3.exe
- Size
  
  3.0MB
- MD5
  
  9d88a0aa3f2b647fd6ced2f6cc7bf95e
- SHA1
  
  03ee53577b16217f045832d6f4c346600df29915
- SHA256
  
  0661814be3524d220818a4342f3949ae94ef8b005da3e10605ab9486c94170b3
- SHA512
  
  e8df6641bd830529a29b45e5030eb5e0cbe870254c16e2ccf0dd3b3af32f3234c80cbe8b403d2d32fb0a01218ff2011a0fa5157eb92bfda3d2bc307a362d8fff
- SSDEEP
  
  49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338u:t92bz2Eb6pd7B6bAGx7n333J
Score

10^/10

remcos new discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  Ryzen DRAM Calculator 1.7.3/WinRing0.dll
- Size
  
  81KB
- MD5
  
  8a85b17e0afa2733d43c2011a67d14ae
- SHA1
  
  af6e9d53fb966bcaacaaa2b90302b1ba0d746dca
- SHA256
  
  9bc13b81f900bc5908c2df72aaf8dc430102ecaae0e309c7625db076e81e6b44
- SHA512
  
  577151786c1fb1bdf6ccf0a594de8bc65d2b55f4e6cbc761cb1d6e304486f428d157f4d9913789928c3a2b5c716af0ee1a23dea8113c88b6c87c04b4410b4542
- SSDEEP
  
  1536:XnDu/v32jA5gOB6OFJDsKPfcRFsWjcdb9lzS9GOBY:XPEtjGqS9JW
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  Ryzen DRAM Calculator 1.7.3/WinRing0.sys
- Size
  
  14KB
- MD5
  
  845af1ba23c8d5e64def61bcc441604c
- SHA1
  
  8ac34eb21b9b38f67cd29684c45696c20ab2e75a
- SHA256
  
  206ee7a7c3f4d9496f742ccb84718f556ecb4ba2a95fe7e0cdf3a003ffbe4597
- SHA512
  
  0c2d625bbe5b1902cd371f4e1a3dceee6401aa9fa0b25f4720277eaaac3576c2029d7db3ae9983382e4ca8f0415ccd4b0e6c1eea864e7886276f93047258475f
- SSDEEP
  
  384:zkg+wW5QDV08teHn+EgTWGYOf2OJ06dUb+m:JDV4+ECtfSJim
Score

1^/10
behavioral17 behavioral18
- Target
  
  Ryzen DRAM Calculator 1.7.3/WinRing0x64.dll
- Size
  
  95KB
- MD5
  
  d98ee0134e3799bdf2254dcecd5ea55d
- SHA1
  
  bff3d04a8d76d6b726fcf860348ab4b289072d69
- SHA256
  
  3edb01db9ef92d669c242215db0be0389a8ff8dd11b1bbe0e6c9d1a41a88c3c4
- SHA512
  
  afedfb05b0c7ae4e4615e6b88b3f196b609aad4f4752cade9bf56ce2de64cb3ef0f91893fde5588a3c7cbc3c5ec3a6e1e9af4e9a788324ca1b4cda4237781928
- SSDEEP
  
  1536:5MqmYOZ4PTx5+ZsRi3TdPYmtIvobfgOREdYf6g77Lg9deDlQA8EULigHsW4dtYlI:5MqxTH+qRi3TdPYmtpIORLtY9deDlQm5
Score

1^/10
behavioral19 behavioral20
- Target
  
  Ryzen DRAM Calculator 1.7.3/WinRing0x64.sys
- Size
  
  14KB
- MD5
  
  0c0195c48b6b8582fa6f6373032118da
- SHA1
  
  d25340ae8e92a6d29f599fef426a2bc1b5217299
- SHA256
  
  11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
- SHA512
  
  ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
- SSDEEP
  
  192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
Score

1^/10
behavioral21 behavioral22
- Target
  
  Ryzen DRAM Calculator 1.7.3/memtest.exe
- Size
  
  40KB
- MD5
  
  2da23869191b9b93106967d1924e6342
- SHA1
  
  ef072f822fa270026c7243e8ad4cf5fccccf2947
- SHA256
  
  637d81054008795d8ba5115682fe5979e26c3691d3a8ac7960bdf1a69436907e
- SHA512
  
  80a8560304f08e1ee7c77de19d100aab00e8932147507486d6f4558760459a57633f013e907b93263fc41c158ef0a4b061708d036165d9668ba90405de3ecf27
- SSDEEP
  
  384:YJDsy4wiAjbceYC87TfUjO1RMuQJL3LNQu/+Hqo71a1soaxFWHxujgHjKDuucNzT:YalvAjbceg7zlc9bGC+Hq+2/aGHF4M
Score

3^/10

discovery
behavioral23 behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24