remcos | b66989ce2388271f471e38dd4f8cca5da3a47663dcb253e77e464ac7328c1a32 | Triage

Sharing

General

Target

RacingLot.exe
Size

1.2MB
Sample

241120-v583bazdla
MD5

8b55759c053ec89dc1eae85d043441a9
SHA1

af350e100dc7178de3bc1c166599e99ae29268ee
SHA256

b66989ce2388271f471e38dd4f8cca5da3a47663dcb253e77e464ac7328c1a32
SHA512

c4815afd42a620201c34aa7dae33990ae085fd76ce181a9e2b1bd2fbdb7e9841495f96b56f03a5bba818f95df61df8d809fe25aa623274257ce14da78d2b627a
SSDEEP

24576:E4t5TY9aBRuxpPk92C48uKcuNaHHP/Wx4wbdqXReE9UOsPhv1daUsC:5YaBRuxu9r4XKc/HHP/WxHbwoEGH0s

Score

10^/10

remcos azucar discovery rat

Malware Config

Extracted

Family

remcos

Botnet

azucar

C2

comercio0025.dns.army:3021

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
datos
mouse_option
false
mutex
uyebwiljbflbhvghhsd-PB673X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  RacingLot.exe
- Size
  
  1.2MB
- MD5
  
  8b55759c053ec89dc1eae85d043441a9
- SHA1
  
  af350e100dc7178de3bc1c166599e99ae29268ee
- SHA256
  
  b66989ce2388271f471e38dd4f8cca5da3a47663dcb253e77e464ac7328c1a32
- SHA512
  
  c4815afd42a620201c34aa7dae33990ae085fd76ce181a9e2b1bd2fbdb7e9841495f96b56f03a5bba818f95df61df8d809fe25aa623274257ce14da78d2b627a
- SSDEEP
  
  24576:E4t5TY9aBRuxpPk92C48uKcuNaHHP/Wx4wbdqXReE9UOsPhv1daUsC:5YaBRuxu9r4XKc/HHP/WxHbwoEGH0s
Score

10^/10

remcos azucar discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosazucardiscoveryrat

behavioral2

remcosazucardiscoveryrat