remcos | 0e248ef8cd0d758d18a56d6af3b577628e428954059e666641aa4fe1ee407c8d | Triage

Sharing

General

Target

0e248ef8cd0d758d18a56d6af3b577628e428954059e666641aa4fe1ee407c8d
Size

1.2MB
Sample

241116-wb3twazmav
MD5

9ddd4a2b7410441f0cf78739046eb732
SHA1

08c58c8bcbe0f9475898b74daff61cf9b6e95fb3
SHA256

0e248ef8cd0d758d18a56d6af3b577628e428954059e666641aa4fe1ee407c8d
SHA512

2201278a617e7b6428cc49e98c8fe976c53a5e006715a1dd8b1d7027c94f144d093a96a708472a03f7252a4b7df393a877ac208495e5b5132cbaca78a3d9b98d
SSDEEP

24576:8BOtGnZ12iiD5NNpcqTeNZX0UuZIRC6p4Tr5:8B4gZApr6N50UueRC66d

Score

10^/10

remcos gasplant discovery evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

GASPLANT

C2

dotatech.de:30908

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
chrome-SYTYBI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0e248ef8cd0d758d18a56d6af3b577628e428954059e666641aa4fe1ee407c8d
- Size
  
  1.2MB
- MD5
  
  9ddd4a2b7410441f0cf78739046eb732
- SHA1
  
  08c58c8bcbe0f9475898b74daff61cf9b6e95fb3
- SHA256
  
  0e248ef8cd0d758d18a56d6af3b577628e428954059e666641aa4fe1ee407c8d
- SHA512
  
  2201278a617e7b6428cc49e98c8fe976c53a5e006715a1dd8b1d7027c94f144d093a96a708472a03f7252a4b7df393a877ac208495e5b5132cbaca78a3d9b98d
- SSDEEP
  
  24576:8BOtGnZ12iiD5NNpcqTeNZX0UuZIRC6p4Tr5:8B4gZApr6N50UueRC66d
Score

10^/10

remcos gasplant discovery evasion execution rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosgasplantdiscoveryevasionexecutionrattrojan

behavioral2

remcosgasplantevasionexecutionrattrojan