Overview

overview

10

Static

static

3

RTM09878GH.exe

windows7-x64

10

RTM09878GH.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    14122024_0125_RTM09878GH.cmd.zip

  • Size

    826KB

  • Sample

    241214-bs2b6atrcl

  • MD5

    b46af5547637e668e50d9a27f3355233

  • SHA1

    bfc10872b0467dda536d4d891593025383d00b12

  • SHA256

    e75a4696986efc34b686c88acbb183396fa22b765623d026c3d272be87c57650

  • SHA512

    2b0f575b35bae568584bd809d34d55eea9d113b11a3e33bf6e1e779c699d4c55a5cbf9d4cd16b83e7fa703cf0c7acea1386e2db1bdd552567febd9ae3e50aa13

  • SSDEEP

    24576:Osbx0hCUS/LSdUfxE3P7B3AWCQScwXgKYcP9be1HKWreh+d:KKeA2f7JCQSbZe1qWKId

Score
10/10
remcosremotehostdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.210.150.26:3678

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-MKYDDH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RTM09878GH.cmd

    • Size

      830KB

    • MD5

      c48a8f69e18ada31f2d4cce1c01f21a4

    • SHA1

      3af7a6a8653982efebe40fdc85a056906e1c5d51

    • SHA256

      8bf7fa237fb9b84868540e4823ee8532d879defebf58267085384ceb117b1c0e

    • SHA512

      6a1d7d22c699b99d9a07b580dd15986cd1d7fb104d1b898f851b446799941736d0e2bf6e37b735a65d4005ed19a71ab4c578587ac3abe5cec6da5a44d6a0008c

    • SSDEEP

      24576:N24ds1x0hwCSfnS5OVx6/Z7XtuQiMSGsX6eYc799exzCQryh+9:dmqOMh7DiMS/Rex+QWI9

    Score
    10/10
    remcosremotehostdiscoveryevasionexecutionrattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks