remcos | dd65dd8dc6a7e07a80cef5710ea026d0a3dc0e4e3657111b82acbf65ffd845b6 | Triage

Sharing

General

Target

NEWORDER-4788467.7z
Size

908KB
Sample

241121-n1nggssjcv
MD5

902c0c34f69cc76c380c9e2e822e4a82
SHA1

be340f75a15a1ed6c214fd1228eb78ff8275fe7c
SHA256

dd65dd8dc6a7e07a80cef5710ea026d0a3dc0e4e3657111b82acbf65ffd845b6
SHA512

497858ab7200b7bad84911536a853bb41404caceed1141600398758d2e67a60f929a1cc32fe22bb217b6e44b66247d62fca138be516863e367838a787bd1b9a4
SSDEEP

24576:8qho7Y33wd4D5N4UmVFruPkMKXbY31qKblvho:H1Hwd4FN4UoFqjKXboTp5o

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

206.189.218.238:4782

206.189.218.238:2286

206.189.218.238:3363

206.189.218.238:3386

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NJK093
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  NEW ORDER- 4788467.exe
- Size
  
  908KB
- MD5
  
  1cb86400147c835af58017f0474c5bcc
- SHA1
  
  ac285cb623bf292341068dead954cfed9a1f8c81
- SHA256
  
  c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61
- SHA512
  
  ce74f39d092b13570f9387e5d43ced748dea9557e8887fc072694a2cf448b2c4cf741db3e76d551ebef3511b906ae1cbe0fe670f8968e51d1441982ec73b9b0c
- SSDEEP
  
  24576:Nqho7Y33wd4D5N4UmVFruPkMKXbY31qKblvh:y1Hwd4FN4UoFqjKXboTp5
Score

10^/10

discovery execution remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosremotehostdiscoveryexecutionpersistencerat