remcos | 36c105d0567272f2c86d784c7e7beadc44898152d1413d70fadd93b20f6992c8 | Triage

Sharing

General

Target

09122024_2309_09122024_430010782.pdf.Tar
Size

619KB
Sample

241209-29kzlsznap
MD5

ccbdb6c6a58086aa6e0be362b7664bab
SHA1

e9e9b89242827910146eded36daf41bce3dc9c65
SHA256

36c105d0567272f2c86d784c7e7beadc44898152d1413d70fadd93b20f6992c8
SHA512

d0a30e5afa1add70d414d0827a120863653d8f3f2971e0007185f6e03385368b22756607511ea369478d71ce36b9d0c64f9f53caaf18d73fea7802c61a1a4079
SSDEEP

12288:V2HWLkzAScSkujQZqn7Ltql2l/abvRvRaBZDR8l+7lIYZC1CygsK:AHWLkz3cSHSq7R3ibvmDqk7dj

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

87.120.116.187:56

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GC7VQU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  430010782.pdf.exe
- Size
  
  759KB
- MD5
  
  74c8f736d425b1bd2027c2b5b144e188
- SHA1
  
  76f160d6c55611b99dcd10f85889957cb867990a
- SHA256
  
  293ebd610b0542289ffe9a52cab2c2a434dcff94918045a5ed1497deaee5eb87
- SHA512
  
  c859f5d689b168a72db6fc7fec5ed3c2a95cbd51402f0128b5370ec0cd41d73e02f90e3b27b85b8d76c5c0140bd9a6d9341d2422673baa52a5138ff689596162
- SSDEEP
  
  12288:0GCX77iIc2b3mMhkApKwjVim+PMpa3oGk6Rcs93tRLPHj6XOahG:qr75cY2vFikV/oGtR193tJPDUOr
Score

10^/10

discovery execution remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  01e76fe9d2033606a48d4816bd9c2d9d
- SHA1
  
  e46d8a9ed4d5da220c81baf5f1fdb94708e9aba2
- SHA256
  
  ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70
- SHA512
  
  62ef7095d1bf53354c20329c2ce8546c277aa0e791839c8a24108a01f9483a953979259e0ad04dbcab966444ee7cdd340f8c9557bc8f98e9400794f2751dc7e0
- SSDEEP
  
  96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosremotehostdiscoveryexecutionrat

behavioral3

behavioral4