remcos | be419082e0eb1fdea5d24d7cb632afdc95a6a6ad6713844adbb32d5e5a377a22 | Triage

Sharing

General

Target

acd9a75b2f33064da7ebef088ed16cb9.bin
Size

46KB
Sample

241114-b3c3basgln
MD5

b218359ed36e3bf5d39c42a55c5be984
SHA1

ebacfc2273e584834c3fb76ec76a854d38722ffa
SHA256

be419082e0eb1fdea5d24d7cb632afdc95a6a6ad6713844adbb32d5e5a377a22
SHA512

df8e503b6a6f26065fdf564344fadae60f4bd488a63a4bc78e545c3fdecce3283340585df0cb84c7592c885329144c08c781dc3c275280aff8a1676d6b9427de
SSDEEP

768:5rOumF3HZnWRg6X6th726yHAUuAlO84hKp0hpE4agO6wbAStX03zM97:5rOWch7/ytO1hK0hpE4+rTV0jMJ

Score

10^/10

remcos remotehost discovery evasion rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dvlqrd8dhs.duckdns.org:46063

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0IGFAQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4.vbs
- Size
  
  86KB
- MD5
  
  acd9a75b2f33064da7ebef088ed16cb9
- SHA1
  
  8f51e47a0454c8032e2ecd90f85bb115e80b5f35
- SHA256
  
  cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4
- SHA512
  
  06525377cfdc4e75fab11fd907a65c611bb9c880fe56bc68b3baa108b266e472813d3824969d6e6584c6b7d90b65379dfc633a15ef17bf24705a8195a5c657b3
- SSDEEP
  
  1536:970ty9v0kvBGd9pOpuoNvhvJELsj+qOhkqXzkx5c3cYdg51VWXaAj2yTk:9Qk9vh5U9QLzFOhbwx5c3cYdqVWrTk
Score

10^/10

discovery remcos remotehost evasion rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosremotehostdiscoveryevasionrattrojan