remcos

General

Target

0cd8211958d56f16c946111633bc64c5b448a67f599c0f5ea67d3a1e77194201.zip
Size

49.3MB
Sample

241117-gl8qjsxkdr
MD5

e78677a27af4ddb3ace4c2f57b9dd09c
SHA1

f5940cfcd5675d7848153ae7c5b938935a1b3ea2
SHA256

0cd8211958d56f16c946111633bc64c5b448a67f599c0f5ea67d3a1e77194201
SHA512

850258574198a2c3d6c9349ec5bef6c23ac1ee4cc520c325008f56fd9a2235c3ef006a7635e5c0ddb123af5541cab7ec872fffcaae082135aaaa4af6771c4d58
SSDEEP

1572864:JUHWOO6aB6Qzl0QmRy/ASf2ZbT+eLRwO9dwUmbs9I:6cxtzlLmRyYSuZpByA6

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

NewTest

C2

65.21.12.146:6165

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
GttttSFFFSSS-FH61YW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  XTU_7.13.1.5/XTUSetup_7.13.1.5.exe
- Size
  
  3.0MB
- MD5
  
  66077408ca68b2fcd2a80e86e1797900
- SHA1
  
  7c20e8699629a2363ad3795248dbb19a07ea68e8
- SHA256
  
  72d6634536e28daf1008d949c3683ee5a31bffeeabe5443a84b5023c5ee48470
- SHA512
  
  f02864e4201caa2427942cd97e5a834cdd82cab766f3e85e42f8f87e66e220d93c567497f248bfb8e946c1bd5e5f599bad7a991a85a36d2920c696e5e2a909bb
- SSDEEP
  
  49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338e:t92bz2Eb6pd7B6bAGx7n333J
Score

10^/10

remcos newtest discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2