remcos | 0aef5fd40527e7ab78039802a026b1268a330c6580eb1b5bb11ae29137de3d2c | Triage

Sharing

General

Target

c541ef92d5024981da22c4cd0a7884be_JaffaCakes118
Size

776KB
Sample

241205-bx3e1sxlan
MD5

c541ef92d5024981da22c4cd0a7884be
SHA1

554c2af624c1d1f36d522bbdad0860cc05e4fb31
SHA256

0aef5fd40527e7ab78039802a026b1268a330c6580eb1b5bb11ae29137de3d2c
SHA512

89059237ff2d332016b9ed49946b31042be61a349b53a4a415e18ab67976d3c12ecfdd9b6311162b56d6d82dd8807cdda4bf43e3fff263af60cb8cb4343eab8f
SSDEEP

12288:8XV1Vt7syT8RJJ58bOZmZHGGPVo5yOnperQvBXtvldA93LYzxOd6:8nVtYyKp2zPPOpXvBXtvlg0Ad6

Score

10^/10

remcos remotehost-5778 discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

RemoteHost-5778

C2

5778.hopto.org:5778

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-8NVW4R
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  c541ef92d5024981da22c4cd0a7884be_JaffaCakes118
- Size
  
  776KB
- MD5
  
  c541ef92d5024981da22c4cd0a7884be
- SHA1
  
  554c2af624c1d1f36d522bbdad0860cc05e4fb31
- SHA256
  
  0aef5fd40527e7ab78039802a026b1268a330c6580eb1b5bb11ae29137de3d2c
- SHA512
  
  89059237ff2d332016b9ed49946b31042be61a349b53a4a415e18ab67976d3c12ecfdd9b6311162b56d6d82dd8807cdda4bf43e3fff263af60cb8cb4343eab8f
- SSDEEP
  
  12288:8XV1Vt7syT8RJJ58bOZmZHGGPVo5yOnperQvBXtvldA93LYzxOd6:8nVtYyKp2zPPOpXvBXtvlg0Ad6
Score

10^/10

remcos remotehost-5778 discovery evasion execution persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehost-5778discoveryevasionexecutionpersistencerattrojan

behavioral2

remcosremotehost-5778discoveryevasionexecutionpersistencerattrojan