remcos | 2027658fe07e8ef66d192bf1697cf0d9e91f9813ded69da4408747fb3724b3ec | Triage

Sharing

General

Target

2027658fe07e8ef66d192bf1697cf0d9e91f9813ded69da4408747fb3724b3ec.exe
Size

1.7MB
Sample

241220-cnyk5sxlbm
MD5

d2729f574a3ba69a10c00a5992986226
SHA1

827b50066bf4509c1f293f2e2170b86070f3bcd6
SHA256

2027658fe07e8ef66d192bf1697cf0d9e91f9813ded69da4408747fb3724b3ec
SHA512

7bc28a41cc7c61dfc1eb205d7b46da0c9453ce7424fe8eceade72fb5429ac08f72b67b77bdc72df3aaac755bb037808f7714a5334c9e5c541d55fead4df279ca
SSDEEP

49152:f4yTKXSSgG7DpdzSzn2Y2+TITsGWgECdytvV9iSkbwrsK+ZTF4ShJtO:AyeSSgG7Dpdzm2YusGW/CqvV94w02iHO

Score

10^/10

remcos clavelse discovery rat

Malware Config

Extracted

Family

remcos

Botnet

clavelse

C2

navegacionseguracol24vip.org:3021

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
data
mouse_option
false
mutex
mzbxvvcmmzbcbbzmzncbxbx-1YWF5B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  2027658fe07e8ef66d192bf1697cf0d9e91f9813ded69da4408747fb3724b3ec.exe
- Size
  
  1.7MB
- MD5
  
  d2729f574a3ba69a10c00a5992986226
- SHA1
  
  827b50066bf4509c1f293f2e2170b86070f3bcd6
- SHA256
  
  2027658fe07e8ef66d192bf1697cf0d9e91f9813ded69da4408747fb3724b3ec
- SHA512
  
  7bc28a41cc7c61dfc1eb205d7b46da0c9453ce7424fe8eceade72fb5429ac08f72b67b77bdc72df3aaac755bb037808f7714a5334c9e5c541d55fead4df279ca
- SSDEEP
  
  49152:f4yTKXSSgG7DpdzSzn2Y2+TITsGWgECdytvV9iSkbwrsK+ZTF4ShJtO:AyeSSgG7Dpdzm2YusGW/CqvV94w02iHO
Score

10^/10

remcos clavelse discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosclavelsediscoveryrat

behavioral2

remcosclavelsediscoveryrat