remcos | 9d577624acca69f5b4097a6882e934b026a344757cf5cf31f3341e643ed2ba20 | Triage

Sharing

General

Target

9d577624acca69f5b4097a6882e934b026a344757cf5cf31f3341e643ed2ba20
Size

1.9MB
Sample

241117-pq8kcazeng
MD5

b85c47881ba0eb0b556b83827f8e75c8
SHA1

dccdf0daee468f9e9bed3edf928f0839d26b47cb
SHA256

9d577624acca69f5b4097a6882e934b026a344757cf5cf31f3341e643ed2ba20
SHA512

ca158aff36e4eeff5d1c263a79972dfa0aa7584132f12a3d301a5cc5c47b57309fe71b4837c7b8caa5022cb18529b565d6a0849acdabd1af939b76b48284a605
SSDEEP

49152:nagZNlJJziNRWZVTyrNR6yUd/dSlilQBsq5jL:nawNlvWNRlrHSGRBsqR

Score

10^/10

remcos dpdnow discovery evasion persistence rat

Malware Config

Extracted

Family

remcos

Botnet

DPDNOW

C2

dpdnow.duckdns.org:8452

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-A34JIZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  9d577624acca69f5b4097a6882e934b026a344757cf5cf31f3341e643ed2ba20
- Size
  
  1.9MB
- MD5
  
  b85c47881ba0eb0b556b83827f8e75c8
- SHA1
  
  dccdf0daee468f9e9bed3edf928f0839d26b47cb
- SHA256
  
  9d577624acca69f5b4097a6882e934b026a344757cf5cf31f3341e643ed2ba20
- SHA512
  
  ca158aff36e4eeff5d1c263a79972dfa0aa7584132f12a3d301a5cc5c47b57309fe71b4837c7b8caa5022cb18529b565d6a0849acdabd1af939b76b48284a605
- SSDEEP
  
  49152:nagZNlJJziNRWZVTyrNR6yUd/dSlilQBsq5jL:nawNlvWNRlrHSGRBsqR
Score

10^/10

remcos dpdnow discovery evasion persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosdpdnowdiscoveryevasionpersistencerat

behavioral2

remcosdpdnowdiscoveryevasionpersistencerat