remcos | c5117050b2cc795a040a1e1db3052711602de30de2b4ef28eedf185c7f852f13 | Triage

Sharing

General

Target

c5117050b2cc795a040a1e1db3052711602de30de2b4ef28eedf185c7f852f13
Size

4KB
Sample

241128-gpaypaxqhv
MD5

9b7977f50cec9516788fed122dac9092
SHA1

e154d7aecabc9ea34ea2db5b30dc2aba54fe0d78
SHA256

c5117050b2cc795a040a1e1db3052711602de30de2b4ef28eedf185c7f852f13
SHA512

07b2c56ca2be046c946284da0a86dcf80a4b4025e8abb1c1b40b449d51b116676fd1b0718a8d2e09f07dddc8cc8fc670baa0b026f893847538a6e89ac1d625b3
SSDEEP

96:ta3IlNIqTCnHLCS09dtRQ7i8nMYXOuvzdhAzqmzP1qT:pSG3Q7iWhzd2umxqT

Score

10^/10

remcos a$ian collection discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
hmbnspt.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
shibuetgtst-WMSLPY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  awb_shipping_post_28112024224782020031808174CN28112024000001124.bat
- Size
  
  6KB
- MD5
  
  f37fb720f0662ce5bac44b7e19b03864
- SHA1
  
  daeac2db53e78b1139d1ef3351ecda6c66deb09e
- SHA256
  
  df2cba523549cdb60b69c1de396325a4bf3d86d1013378a169273c4aa99d4da9
- SHA512
  
  9aa63156cb66c548a0703c3f0a21d0e26d7939c62c0268b909e8c9ae3a1189753c3c0cec18e3e5e4cd806e4ea274e721faa0e41ee6cfd36a862ba581201b33fc
- SSDEEP
  
  192:YEo+WKuRms3YnN5ekWwsQRbXwwgYTVVSGogXs3:DojPgs3UN5LWw7RDwwppjvc3
Score

10^/10

remcos a$ian discovery execution persistence rat collection
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosa$iandiscoveryexecutionpersistencerat

behavioral2

remcosa$iancollectiondiscoveryexecutionpersistencerat