remcos | 36ce75d541f0430c5b5b92215fb754bfe73bc4f74c5df7a6176c347e03c360d7 | Triage

Sharing

General

Target

04122024_0041_nr101612_Order.wsf.zip
Size

861B
Sample

241204-a1x42ayjdm
MD5

e7a1c19fa4785ecaff01e70a34eed465
SHA1

70440e067596046d925a8a82e5cf567a755cad63
SHA256

36ce75d541f0430c5b5b92215fb754bfe73bc4f74c5df7a6176c347e03c360d7
SHA512

decee8b98963763b77c33f9d6c0cbb535ecd4b9547a0e30bf022540a949d5256f7f8ddb8d4fa7d10af493c70080ff5d48e458cde580c71059fde17e6ea4343b7

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

C2

ahmedahmed.ddns.net:6426

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-SEVL3E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  nr101612_Order.wsf
- Size
  
  3KB
- MD5
  
  2351b140cfa13f0cf05f93b471edd1f6
- SHA1
  
  aab24f356405a117ce7df0016b131872fb1b2f16
- SHA256
  
  4e176fd538ca3aade9d71291f18cbe73022c88dd19e29fba250a6d0a9137be17
- SHA512
  
  bb7e68724ba4e4169e90b0ff3d6379dda43c0d01bf1e26b91211a124833317a4741bb6c5f0c3e97bcc79f8d01460bb09b6cf963c2f39890b7063ddd1b74f0085
Score

10^/10

execution remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosremotehostdiscoveryexecutionrat