remcos | 820d600f7e9de3c49ab72a5cf0eed154f8a733a971dc4d601a2941a2b1596aa1 | Triage

Submit
Reports

Overview

overview

Static

static

1

Sample_Ord...91.xls

windows7-x64

Sample_Ord...91.xls

windows10-2004-x64

Sharing

General

Target

Sample_Order_000000991.xls
Size

1.1MB
Sample

241216-thd3zsvqck
MD5

5f2e46c7cb021508ad4cb1cb4785af35
SHA1

49d152547e233e76c58586fa0b0be5f341cc65b0
SHA256

820d600f7e9de3c49ab72a5cf0eed154f8a733a971dc4d601a2941a2b1596aa1
SHA512

2b25d71308e8636d0caefbdb24181061da7d620dfc525422e46455ee0bd205801b8a863ffcc292e81b2636e067776010df0be3596dbefd157f5459b5fdddd8be
SSDEEP

12288:bymzHJEUiOIBUzMTSHD3DERnLRmF8D9EPbxpsAQx1Zj+jeEPubjxAzrGbxzX7n41:hBaKbARM8k78Z+jppr8zr4i4Q8+a5d

Score

10^/10

remcos elvis defense_evasion discovery execution phishing rat

Static task

static1

Behavioral task

behavioral1

Sample

Sample_Order_000000991.xls

Resource

win7-20240903-en

remcos elvis defense_evasion discovery execution phishing rat

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Sample_Order_000000991.xls

Resource

win10v2004-20241007-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GJDISH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Sample_Order_000000991.xls
- Size
  
  1.1MB
- MD5
  
  5f2e46c7cb021508ad4cb1cb4785af35
- SHA1
  
  49d152547e233e76c58586fa0b0be5f341cc65b0
- SHA256
  
  820d600f7e9de3c49ab72a5cf0eed154f8a733a971dc4d601a2941a2b1596aa1
- SHA512
  
  2b25d71308e8636d0caefbdb24181061da7d620dfc525422e46455ee0bd205801b8a863ffcc292e81b2636e067776010df0be3596dbefd157f5459b5fdddd8be
- SSDEEP
  
  12288:bymzHJEUiOIBUzMTSHD3DERnLRmF8D9EPbxpsAQx1Zj+jeEPubjxAzrGbxzX7n41:hBaKbARM8k78Z+jppr8zr4i4Q8+a5d
Score

10^/10

remcos elvis defense_evasion discovery execution phishing rat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Downloads MZ/PE file
- Evasion via Device Credential Deployment
  defense_evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoselvisdefense_evasiondiscoveryexecutionphishingrat

behavioral2

© 2018-2025

Terms | Privacy