remcos | 8f1c4815ebd89c9e400cbd552d7451c5420e5e2618c507163aebf0e8cede33fc | Triage

Sharing

General

Target

8f1c4815ebd89c9e400cbd552d7451c5420e5e2618c507163aebf0e8cede33fc
Size

832KB
Sample

241114-n28ttayjcs
MD5

1acb4ef38316c27ab0b749bcb9bb2ba5
SHA1

3e4f1f91c17d63059afb7b9821de0f1bb1961a2f
SHA256

8f1c4815ebd89c9e400cbd552d7451c5420e5e2618c507163aebf0e8cede33fc
SHA512

0d97a4f5f62cbad53c842265582f3758702b7e2593287d68afe1894f1953003642b2e9387124d5f8863ce7b4ce6ba3ef36fb1e5d3fa9555e1404a505f0a3fa10
SSDEEP

24576:VS530j7VARrRGyEDD5afzdgsqwd88w132BIKSxt:VxVhNa7/rY2uKSP

Score

10^/10

remcos gasplant discovery evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

GASPLANT

C2

dotatech.de:30908

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
chrome-SYTYBI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Quotation.exe
- Size
  
  1.2MB
- MD5
  
  9ddd4a2b7410441f0cf78739046eb732
- SHA1
  
  08c58c8bcbe0f9475898b74daff61cf9b6e95fb3
- SHA256
  
  0e248ef8cd0d758d18a56d6af3b577628e428954059e666641aa4fe1ee407c8d
- SHA512
  
  2201278a617e7b6428cc49e98c8fe976c53a5e006715a1dd8b1d7027c94f144d093a96a708472a03f7252a4b7df393a877ac208495e5b5132cbaca78a3d9b98d
- SSDEEP
  
  24576:8BOtGnZ12iiD5NNpcqTeNZX0UuZIRC6p4Tr5:8B4gZApr6N50UueRC66d
Score

10^/10

remcos gasplant discovery evasion execution rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosgasplantdiscoveryevasionexecutionrattrojan

behavioral2

remcosgasplantdiscoveryevasionexecutionrattrojan