remcos | 85502e59a1632b69b489891356d31f6a06d788073c744e1ac55bd03f166c5241 | Triage

Sharing

General

Target

85502e59a1632b69b489891356d31f6a06d788073c744e1ac55bd03f166c5241
Size

677KB
Sample

241115-yq1zya1crj
MD5

3b72f732f216136775f6aebdbda1ba0b
SHA1

f64deba6e108c2690a1f10ac0cd1a530cf3d16f8
SHA256

85502e59a1632b69b489891356d31f6a06d788073c744e1ac55bd03f166c5241
SHA512

8df9b062f2d82724fe186d18f30f2896eb93a591a38d5be33fcfb922722864c9f2b8a9324457b4eb41be1c08a546cd16b8319a0bfe41c81b1c0101f182804945
SSDEEP

12288:g+/D317UULVEwJP85xXtN1TrlHoACk9tclfmD/Q+6YTWiEOcW7scrzk:7DxUbXH1VIk+ubQ+DP8W77Pk

Score

10^/10

remcos fresh discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

lafours8tursot1.duckdns.org:2879

lafours8tursot1.duckdns.org:2889

lafours8tursot2.duckdns.org:2879

lafours8tursot3.duckdns.org:2879

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
ioeoest.dat
keylog_flag
false
mouse_option
false
mutex
iomdjtru-ZWTOJI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  85502e59a1632b69b489891356d31f6a06d788073c744e1ac55bd03f166c5241
- Size
  
  677KB
- MD5
  
  3b72f732f216136775f6aebdbda1ba0b
- SHA1
  
  f64deba6e108c2690a1f10ac0cd1a530cf3d16f8
- SHA256
  
  85502e59a1632b69b489891356d31f6a06d788073c744e1ac55bd03f166c5241
- SHA512
  
  8df9b062f2d82724fe186d18f30f2896eb93a591a38d5be33fcfb922722864c9f2b8a9324457b4eb41be1c08a546cd16b8319a0bfe41c81b1c0101f182804945
- SSDEEP
  
  12288:g+/D317UULVEwJP85xXtN1TrlHoACk9tclfmD/Q+6YTWiEOcW7scrzk:7DxUbXH1VIk+ubQ+DP8W77Pk
Score

10^/10

discovery execution remcos fresh persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosfreshdiscoveryexecutionpersistencerat