remcos | 923bc7641ff951ee9d5c248e26268a97df150351e70b2b40fd7cb058fc8a7a03 | Triage

Sharing

General

Target

9a4cc81fdf4ff4117cf31313b0c41238_JaffaCakes118
Size

321KB
Sample

241125-j77fqaxnaz
MD5

9a4cc81fdf4ff4117cf31313b0c41238
SHA1

626075a6ca235c4b37fcae6689a1a9ddd9197d84
SHA256

923bc7641ff951ee9d5c248e26268a97df150351e70b2b40fd7cb058fc8a7a03
SHA512

3e5c7980d2ce68af072ec05227cd43251465436f54a4324ea5eb1d263bd02a41fb9bc4aa21552acd4b66cf043afa516e83b5c864528ebe5547ba44643a7562f8
SSDEEP

6144:1Eh53xXoWFphWmpKdVZhP2+eqxRFeDR9EenzeaX9I2wD+vp6WcHj:KnyerYP2hkRQNe899wD+vExj

Score

10^/10

remcos team33 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

team33

C2

wiskiriski15.duckdns.org:1626

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
csrss.exe
copy_folder
Microsoft
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
TKeSkxi-O6GOWP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
csrss
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  54987171228690403848042072963010428256570551793178102301527820085900750925005634446887951863161674661854486149705485391499905265.exe
- Size
  
  668KB
- MD5
  
  8aa1a76b4376bff1b15c61ac32356e3d
- SHA1
  
  166dd235cc46a451cfcf1a064ec57fc723487f54
- SHA256
  
  e727ed652a2b4da65d9a31ed081a59179d18a504cdfb52387e977a5c3689398d
- SHA512
  
  9d12f905afcf295bb818c7d78045b4b61c12c9e697b4b883d11367253da565a588396fb59c859c744c92f217f85b11e70c3475b7bc0ceda2317bc36219046bdc
- SSDEEP
  
  12288:a3aGraE/mdQVnY8AiThjQ5wBXIUo7oew04zsNijwh:Ob/m+VnFBdjQwI1iOh
Score

10^/10

remcos team33 discovery evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosteam33discoveryevasionpersistencerattrojan

behavioral2

remcosteam33discoveryevasionpersistencerattrojan