remcos | 3d34565abf55fd4d5963b1b1f2cf5590468b716b83ea67ba5231457f9153bc38 | Triage

Sharing

General

Target

065a6053492ecc989755413d4b9cffea.bin
Size

943KB
Sample

241219-bc36tazlcv
MD5

5fca800fadd02fabed626ed37936f77f
SHA1

9870b1b412561db9c8afe6e312003262ce55fa76
SHA256

3d34565abf55fd4d5963b1b1f2cf5590468b716b83ea67ba5231457f9153bc38
SHA512

7345c37715323d50b5303238170e38585c6283dcdd928be27db3f1a8c9f29d8df4025c5ccbbe55a67a59c05e0b08653d106cb3c4dc60f2cc03f945cfac7ed580
SSDEEP

12288:VlYiwskxkvvkh28aap6aMl05YKByv0BpVTx/jgPSbnu4C972b+a6YFV3UO+f4tWA:Bcxk8EawnSp7EPSxCNZ9YzC4YP7MoQ

Score

10^/10

remcos elvis discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-T6WK9E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df.exe
- Size
  
  1.0MB
- MD5
  
  065a6053492ecc989755413d4b9cffea
- SHA1
  
  9955cde6556837bc877e596c5b206df39d060a00
- SHA256
  
  be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
- SHA512
  
  1185623940e192747b0c794c3e63c56ad6f941dca6cccf5db2cbf57ccf3cca6b3ba49aa9922dfde87c82b69920c48222c249b70e13915e542dfb6e11072c9588
- SSDEEP
  
  24576:60u2uOCjadxmISCQDJ8wovaxTFfJDe4Pu2:6euCfLQ5xTFd5
Score

10^/10

remcos elvis discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoselvisdiscoveryexecutionrat

behavioral2

remcoselvisdiscoveryexecutionrat