remcos | cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3 | Triage

Sharing

General

Target

Bank Fund Transfer-589237.scr.exe
Size

1.2MB
Sample

241124-hys2asvran
MD5

552044ce92b78bf4b68d242c2c380afe
SHA1

2ef4efa20f4fd0d05d8f49ccb22c9afeada93a62
SHA256

cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3
SHA512

4dc5ef0fb4b80a81015f4507422a67309074ea01787c9ed0d18c850a1d98ea1e3a444993a1d08428331e2ff044390c873d20c31ffbae049e325a82b64d5a3967
SSDEEP

24576:6YdgfvzmIzxWOwxzCJYC3PPoKb0Eci5ihjJVxw9bYOd+8:qzmmWXRCaePPjb0Eci5ih7xw9bYI

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.226:9285

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
AppUpdate
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VCJ8ZS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
AppUpdate
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Bank Fund Transfer-589237.scr.exe
- Size
  
  1.2MB
- MD5
  
  552044ce92b78bf4b68d242c2c380afe
- SHA1
  
  2ef4efa20f4fd0d05d8f49ccb22c9afeada93a62
- SHA256
  
  cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3
- SHA512
  
  4dc5ef0fb4b80a81015f4507422a67309074ea01787c9ed0d18c850a1d98ea1e3a444993a1d08428331e2ff044390c873d20c31ffbae049e325a82b64d5a3967
- SSDEEP
  
  24576:6YdgfvzmIzxWOwxzCJYC3PPoKb0Eci5ihjJVxw9bYOd+8:qzmmWXRCaePPjb0Eci5ih7xw9bYI
Score

10^/10

remcos remotehost discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionpersistencerat

behavioral2

remcosremotehostdiscoveryexecutionpersistencerat