General
-
Target
remcos.exe
-
Size
469KB
-
Sample
241130-vybs8szkc1
-
MD5
e0a193382a236af12dfaf3d1914c6ec5
-
SHA1
1931c500aead108e6c9b3626c456ff283af87b55
-
SHA256
036d32579d1986bae981d1a1259c6911c4014d18c04687f5c607597cc13703ab
-
SHA512
09c3d300b15d4e7f94943a741eda611f10764ebbdbad649052093974f427bce5cbad4ef1cdca6784b7bb6e7a9b4f5abbf5f6b46b3deab55786e2c8d615b85511
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSOn9:uiLJbpI7I2WhQqZ7O9
Behavioral task
behavioral1
Sample
remcos.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
remcos.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
lesbian-failures.gl.at.ply.gg:11241
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
SecurityHealthSystray.exe
-
copy_folder
SecurityHealthSystray
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FGMZB0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
SecurityHealthSystray.exe
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
remcos.exe
-
Size
469KB
-
MD5
e0a193382a236af12dfaf3d1914c6ec5
-
SHA1
1931c500aead108e6c9b3626c456ff283af87b55
-
SHA256
036d32579d1986bae981d1a1259c6911c4014d18c04687f5c607597cc13703ab
-
SHA512
09c3d300b15d4e7f94943a741eda611f10764ebbdbad649052093974f427bce5cbad4ef1cdca6784b7bb6e7a9b4f5abbf5f6b46b3deab55786e2c8d615b85511
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSOn9:uiLJbpI7I2WhQqZ7O9
-
Remcos family
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4