remcos | 40a4b12c7c640f2aab54020b79d687b994f9e6b180dd213e9923e416308a7003 | Triage

Sharing

General

Target

JaffaCakes118_40a4b12c7c640f2aab54020b79d687b994f9e6b180dd213e9923e416308a7003
Size

663KB
Sample

241221-3j7w5atrbp
MD5

d058f62b83e6add9b65402ae7b15218a
SHA1

183843c0087891da894e0338ceee59987fa8c6be
SHA256

40a4b12c7c640f2aab54020b79d687b994f9e6b180dd213e9923e416308a7003
SHA512

7d4006c6d3501e3b5e3877f7e8e1cab8bc7a0bc1f609b4bd388128c2ad9986e568f5e40e3e1049962957467ac34c074b7875f995717be00866edd84b001bea13
SSDEEP

12288:Wv0DxOfd19kxAPU9y6NJ0XoypVDgedsgmgkEvaBDAHlQaeyJ0/vscj:Wv0DxOGY6F4VDBdsgJkECBDAHiyW/vT

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.111.234.100:5888

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-L3B6TW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  2dc3362aa16ce15c6e19369b6a8fc2e4b858e8f3afdd9319a1d2970f427a025f
- Size
  
  738KB
- MD5
  
  d34ed02f5df21129c5b0e6bc847b7edf
- SHA1
  
  ec5c08fc92955495bbe41a581fc2385f3bf3f897
- SHA256
  
  2dc3362aa16ce15c6e19369b6a8fc2e4b858e8f3afdd9319a1d2970f427a025f
- SHA512
  
  f8f36ad34ca36baf2f5fbad09326c9e0f66059beb68f3743f4435f7b0a933d13d964cb96d1b2334ec6e667d4868cbc99d7580502a2016baf8838e58a1f25df1d
- SSDEEP
  
  12288:D5A/1ck0MVNsspCbS5IUQinQic+fRlFqkwch2JJxqUcmpvj6SCKVEYbXuhhookb7:lAnpCkIUQin9RlNhEJIUcmpvjLpVivhV
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryrat

behavioral2

remcosremotehostdiscoveryrat