remcos

General

Target

Vuupkzeyx.bat
Size

1.7MB
Sample

241201-vl1lts1mdp
MD5

cc0e4b5bdfc8fea0703e0e1f2342c915
SHA1

d14c623ce04289e2a4024381c2e99c9ff20a84cc
SHA256

12ea5712edf3120754d3f1ce995f46bf855a4eb47ed0830a574068a584fae628
SHA512

3182d67031dbc35395adf93d6ec3dc5b6cdbcb286f87242ba2bb54090a82f80a2247a277fe6c1d050cd3ac5cb00e1330681e1a89d9887249e498cf6da351b771
SSDEEP

24576:hKvkZKBxfTCRFcjanaAKbySo1RfOIPC2ZH5yLJgQiL44e/b4fPh9y0qV5mPRswMD:svo2pJa9Ow50dmbMmCiw

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

24.ip.gl.ply.gg:7694

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4QV34V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Vuupkzeyx.bat
- Size
  
  1.7MB
- MD5
  
  cc0e4b5bdfc8fea0703e0e1f2342c915
- SHA1
  
  d14c623ce04289e2a4024381c2e99c9ff20a84cc
- SHA256
  
  12ea5712edf3120754d3f1ce995f46bf855a4eb47ed0830a574068a584fae628
- SHA512
  
  3182d67031dbc35395adf93d6ec3dc5b6cdbcb286f87242ba2bb54090a82f80a2247a277fe6c1d050cd3ac5cb00e1330681e1a89d9887249e498cf6da351b771
- SSDEEP
  
  24576:hKvkZKBxfTCRFcjanaAKbySo1RfOIPC2ZH5yLJgQiL44e/b4fPh9y0qV5mPRswMD:svo2pJa9Ow50dmbMmCiw
Score

10^/10

remcos remotehost discovery evasion rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Suspicious use of NtCreateUserProcessOtherParentProcess

Sets file to hidden

Drops startup file

Executes dropped EXE

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2