remcos | a6d4e2706d45af6be3a6bd264ac95d7b5e6e60dbbcbce01a498dd3b8f9ccb3f6 | Triage

Submit
Reports

Overview

overview

Static

static

main.exe

windows10-2004-x64

Sharing

General

Target

CHECKER.rar
Size

222KB
Sample

241115-kty3vssakl
MD5

413b25321c6bb2726e15d408a00c6e27
SHA1

d24fd4e913d1a5cf943d257269bb45b7e281f4d6
SHA256

a6d4e2706d45af6be3a6bd264ac95d7b5e6e60dbbcbce01a498dd3b8f9ccb3f6
SHA512

eabc45a3a8e33f5e580402f5c46860d25c700d456571fa38a988fc9e4d85523414e8eaf1f0e63e6667e09da98c1a911f2ea3a231952a2717c6e78e51033e028a
SSDEEP

6144:vo8nrHsLbJLVYPA5pyXt+oX0Mi88tUPnHCCFI6wRfT7q:vrnrHmbQPAvyX480j/aik6Fq

Score

10^/10

remcos flutter collection discovery evasion persistence rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

main.exe

Resource

win10v2004-20241007-en

remcos flutter collection discovery evasion persistence rat trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

Flutter

C2

85.17.107.2:8338

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
flutter.exe
copy_folder
Flutter
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Mot
mouse_option
false
mutex
Mot-P379YE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  main.exe
- Size
  
  483KB
- MD5
  
  91589593e41eac9ac23f6f3de785b457
- SHA1
  
  b3f926ba58dae1d0da8e099ba9d3f11ed5ab2a39
- SHA256
  
  d91315352c0c49ae79df6219fb21c6fe11e405bc7ae117d9d111535ee1dd5467
- SHA512
  
  c6b74d774fae5c9d7151afab78a1e4f96c6d089691123c8689136ae99ab9b21f128bd6565a122afbbd61cd919434df29bed2ee6439d1b9dc9eedd0ee0a0082cf
- SSDEEP
  
  6144:25zY+w1LqZBCxKedv//NEUn+N5hkf/0TE7RvIZ/jbsAORZzAXMcrnmA4:25k+Yqaxrh3Nln+N52fIA4jbsvZztA4
Score

10^/10

remcos flutter collection discovery evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Windows security bypass
  evasion trojan
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosfluttercollectiondiscoveryevasionpersistencerattrojan

© 2018-2024

Terms | Privacy