remcos | aae02ab2461de2d26dcc070a13c6fa1e32b843d5ea8de7bf7affa260a0e2a570 | Triage

Sharing

General

Target

14112024_0200_13112024_QUOTATION-- #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.7z
Size

784KB
Sample

241114-ce1ddashlf
MD5

432696e5eeae671eeec137155669d1ba
SHA1

13817827efc54aed9bdd22d440764bc704b9a1b7
SHA256

aae02ab2461de2d26dcc070a13c6fa1e32b843d5ea8de7bf7affa260a0e2a570
SHA512

42953f8ed4559a4e051a3fe8c04fdc4d04a29ec85c0b1ba84152baebb026fb69b52761769b8682b7b93e1b0a240234a5ac8484e7973e9de1f5a345d546b66725
SSDEEP

12288:/w78Xfr17IaEsDM7oAfyzxjEyq5RbrkfJVL6/HNnxDsWwU1l+JH81Ir0JUIVUL20:/w+frJIth8qyRkRHkxV2FN1lMbwnWi5i

Score

10^/10

remcos slaves collection discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

SLAVES

C2

windowslavesclient.duckdns.org:1604

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-J3MJAP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe
- Size
  
  1.3MB
- MD5
  
  5c44a72a49fe4fbc94f1c1aa8cbf0ab6
- SHA1
  
  d0d0903f73b4aa11ee580fb6fd8d80775e6e88de
- SHA256
  
  39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129
- SHA512
  
  d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97
- SSDEEP
  
  24576:ctcKivRdWnSyEHyfE75BP/+mgWdm/bTLLK6:LKmXWSy6r2mgxv
Score

10^/10

remcos slaves collection discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosslavescollectiondiscoverypersistencerat

behavioral2

remcosslavescollectiondiscoverypersistencerat