remcos | 71dc9593413d17bc6d72619104a202b94afb37af37130796c853ebc31fca0c7b | Triage

Sharing

General

Target

71dc9593413d17bc6d72619104a202b94afb37af37130796c853ebc31fca0c7b
Size

942KB
Sample

241121-d9k3lsxhmf
MD5

d693129bcfa4ee6947ebee47d9a220c0
SHA1

d4848019b810ce320d49388327351cc79dd69e3c
SHA256

71dc9593413d17bc6d72619104a202b94afb37af37130796c853ebc31fca0c7b
SHA512

c5ca275d096cfeb0af59e5cd33daf00f037a73f83d8b551a88cba814f7dceefdb42216c95b3fd064ff7880a4915f3f9434ac7a5640840c41460ba04e10d18da8
SSDEEP

24576:XAbXe4vkwxxdQHzB2cuGEQo3GQPx212rWaLL:n4dPdQHzgcuGE/3xxpZL

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.226:9285

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
AppUpdate
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VCJ8ZS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
AppUpdate
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Bank Fund Transfer-589237.scr
- Size
  
  1.2MB
- MD5
  
  552044ce92b78bf4b68d242c2c380afe
- SHA1
  
  2ef4efa20f4fd0d05d8f49ccb22c9afeada93a62
- SHA256
  
  cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3
- SHA512
  
  4dc5ef0fb4b80a81015f4507422a67309074ea01787c9ed0d18c850a1d98ea1e3a444993a1d08428331e2ff044390c873d20c31ffbae049e325a82b64d5a3967
- SSDEEP
  
  24576:6YdgfvzmIzxWOwxzCJYC3PPoKb0Eci5ihjJVxw9bYOd+8:qzmmWXRCaePPjb0Eci5ih7xw9bYI
Score

10^/10

remcos remotehost discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionpersistencerat

behavioral2

remcosremotehostdiscoveryexecutionpersistencerat