remcos | 4ba50be2c056423d1788cc6f2e7e1444e069684c14a302d1486725bc736d30c3 | Triage

Sharing

General

Target

files.zip
Size

1.5MB
Sample

241204-1vct1stjg1
MD5

7dda6a970598315b647c5da4eb99c293
SHA1

e108910741552010cd6e9480be1187388cf98aa2
SHA256

4ba50be2c056423d1788cc6f2e7e1444e069684c14a302d1486725bc736d30c3
SHA512

94f8c3b513cea50ce768585fa6c70f7164fb41b11e77e4aae7ace9555585e54fa56ce4e997b52c52694dc4ed3e8c106ea26cf4743974da980205799e57aa1ae3
SSDEEP

24576:89g8XU+VMdSlAbiyGYYr8T4FtGMidZ2T06cl/2ZWnst+/asNpb/WE5pjXOEKwWzW:8q8XU+uSlo0LHSQT0pl/2ZWo+CcRvPHp

Score

10^/10

remcos hotline discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

HotLine

C2

itadmincentral.com:443

itadmincentral.com:8080

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
35
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
putty
mouse_option
false
mutex
htl-TQFCUW
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Putty
screenshot_path
%AppData%
screenshot_time
1
startup_value
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;chrome;edge;

Targets

- Target
  
  PCESTHTB.msi
- Size
  
  1.4MB
- MD5
  
  d5dd7c58c554c36c64ca86e6c172a3bb
- SHA1
  
  2401fff28f1208e3da5b44a528a6f6ece9fc25ac
- SHA256
  
  2dcafda9801e9cabf05f5824dc196f5fb966d53b5261207c7ea305bcc813aa2b
- SHA512
  
  d7f22b2e50ce9c603ea90be4f06e6e451414db6b0119907aaea0e2fd3f9ca6edb6a758dec659e03153fb17b4bbadc74b4100db35737d29b09d189f9b357ddfad
- SSDEEP
  
  24576:SHbU+DclSpAbi8cYeruT4HLGqidTsDo64N7im+o/gnWnsZ+/acJpDFWO5pjVOoKZ:AbU+mSpe2hfS4DoVN2m+o/gnWA+COZzr
Score

10^/10

remcos hotline discovery persistence privilege_escalation rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoshotlinediscoverypersistenceprivilege_escalationrat

behavioral2

remcoshotlinediscoverypersistenceprivilege_escalationrat