remcos | fb9e1798609baccb82ea2295026b10decbe6696ab677514af5d5b06544943143 | Triage

Sharing

General

Target

02122024_1514_02122024_Attached_updated_SEPTEMBER_SOA_till_now_total_USD 26162.21_pdf.7z
Size

11KB
Sample

241202-smqrxayrdt
MD5

3d276a3b5f8972ddcff59d41a091e3e7
SHA1

54a7765e1a0be113e1e6819c29154ad1285201a4
SHA256

fb9e1798609baccb82ea2295026b10decbe6696ab677514af5d5b06544943143
SHA512

3445ada4dea762659883d9b8a9b099464d4ca532978a0a3f33ce3c6ba5a5f30fc0e349ccf353144807dfb7602e4960345717ec44948ca0811bc350c37b8c5c8b
SSDEEP

192:E6FZehLKdBiSNMocj66FoASRfQ1oYq/JA8w8vIHtZJIel9eeY2pN6nSgBLsMXah9:22ji4c+nQ+YqhbOtZzloYYCMXahA5QK6

Score

10^/10

remcos fresh discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

dourtes4hnbouy1.duckdns.org:2487

dourtes4hnbouy1.duckdns.org:2488

dourtes4hnbouy2.duckdns.org:2487

dourtes4hnbouy3.duckdns.org:2487

dourtes4hnbouy4.duckdns.org:2487

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
kamzourts.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
kamncbiu-LBXP9X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Attached_updated_SEPTEMBER_SOA_till_now_total_USD 26162.21_pdf.vbs
- Size
  
  52KB
- MD5
  
  6502323c58be777bd7cf1046ba20a468
- SHA1
  
  51dc97fd8b87b03426c2b74f29a09e00897732d8
- SHA256
  
  fb3c178a1787f26fcd75494463b9292bb1c7f76b465c7e78381dce5ed7c8011f
- SHA512
  
  bf570c92c5b80a9d94cc1d4cfa2cd4596b8bbaf0e992427448f54cd83bea2e6867f1eac623d0108f241f7de039c1fc07b87d98cef8232ce2366a3fe030c5011c
- SSDEEP
  
  384:I5cVCJUYlJPLpoCuPmKOF5OXOlaNyPepflkhiG0gkIENdy3w7u:I5cXYlJPLyCuOKEwtyPenNGO3Ndy3wi
Score

10^/10

execution remcos fresh discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosfreshdiscoveryexecutionpersistencerat