remcos | fbc7ea811a9cc4d78986918a1c07a6c6fc9f4be6e5ea4952ad76fb7b23c752af | Triage

Sharing

General

Target

cc729b8c1f1d7f050ca51d488f2572e2_JaffaCakes118
Size

224KB
Sample

241206-l9e6csslex
MD5

cc729b8c1f1d7f050ca51d488f2572e2
SHA1

82b30570a2d787ffa79834f55e97127c2f1f08af
SHA256

fbc7ea811a9cc4d78986918a1c07a6c6fc9f4be6e5ea4952ad76fb7b23c752af
SHA512

ca09a774d0cc0225aadbba1919411c56fe52f083a62bddab07e891b9231566ea342a8fb13623afafe8141f782485d62f310506f5e07267c2a6033382ea29d5ec
SSDEEP

6144:lnOBWg8BRGHbLegPMEGSu7YG/vXYiMWt5CAVJbc15:yp8BRsbWELGo7w1VW15

Score

10^/10

remcos remotehost discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

remcos

Version

3.1.1 Pro

Botnet

RemoteHost

C2

192.168.8.104:2405

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
svchost.exe
copy_folder
Svchost
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
JRE
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-HYK6L3
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.168.8.104:2405

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
svchost.exe
copy_folder
Svchost
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
JRE
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-HYK6L3
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  cc729b8c1f1d7f050ca51d488f2572e2_JaffaCakes118
- Size
  
  224KB
- MD5
  
  cc729b8c1f1d7f050ca51d488f2572e2
- SHA1
  
  82b30570a2d787ffa79834f55e97127c2f1f08af
- SHA256
  
  fbc7ea811a9cc4d78986918a1c07a6c6fc9f4be6e5ea4952ad76fb7b23c752af
- SHA512
  
  ca09a774d0cc0225aadbba1919411c56fe52f083a62bddab07e891b9231566ea342a8fb13623afafe8141f782485d62f310506f5e07267c2a6033382ea29d5ec
- SSDEEP
  
  6144:lnOBWg8BRGHbLegPMEGSu7YG/vXYiMWt5CAVJbc15:yp8BRsbWELGo7w1VW15
Score

10^/10

remcos remotehost discovery evasion persistence rat trojan upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryevasionpersistencerattrojanupx

behavioral2

remcosremotehostdiscoveryevasionpersistencerattrojanupx