remcos

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_87f384904add8574b7fb64030a7dafa8cebc825165553f01180e9dcb60bcfc69
Size

198KB
Sample

241224-yfa1rsvpg1
MD5

3c39e3f2cb644eb66b0ec57e6db33e41
SHA1

9ad386bea5c484c0137f2d58ca5bc8645071724d
SHA256

87f384904add8574b7fb64030a7dafa8cebc825165553f01180e9dcb60bcfc69
SHA512

8a8a9866b292c3b80147aaf3204bb0e3c442025215369f75f7cfdd41f12b28798b9d7dabde27138cc5ccc6ab8e88a6cd51d0fd2de0a6ea7e3cc7efb2c55c1fe6
SSDEEP

3072:OXTQwFDhwpHb6onfMyEzH9rX3cGTXUnM+XcjhXsmai6X58VJyoM2VLQYXDsJ5ohJ:yIJnU3zZswXf+MBdb2gJyxUs5ohwS

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

APRIL-BLESS

shahzad73.casacam.net:2404

shahzad73.ddns.net:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-B1CZ1A
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  de5992f7c92351d1011fbece2d4bf74ecfc3b09f84aedb12997a2c3bf869de2c
- Size
  
  350KB
- MD5
  
  a917ef9e23640e7454c0003b4a1c4d39
- SHA1
  
  a6f198a415a5459102afe3953a60670afc20356f
- SHA256
  
  de5992f7c92351d1011fbece2d4bf74ecfc3b09f84aedb12997a2c3bf869de2c
- SHA512
  
  57665fc8a14a91fb924bf827c72b4c62847d456cf277f21760b5a3535b9172ededb1eb8d1394543dbe93b707f6d3cd86b0811bafb431b388e7541dd62e63ab12
- SSDEEP
  
  6144:QsJkBV+aEuoRPwi2AT3eV8zaTT56xuKbhGWhgjouQd:+Euolw3V8Y3ohGWqxQd
Score

10^/10

remcos april-bless discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  4KB
- MD5
  
  7579ade7ae1747a31960a228ce02e666
- SHA1
  
  8ec8571a296737e819dcf86353a43fcf8ec63351
- SHA256
  
  564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
- SHA512
  
  a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  acc2b699edfea5bf5aae45aba3a41e96
- SHA1
  
  d2accf4d494e43ceb2cff69abe4dd17147d29cc2
- SHA256
  
  168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
- SHA512
  
  e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
- SSDEEP
  
  96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  uninstall.exe
- Size
  
  199KB
- MD5
  
  6b76c5bf9f4851ca1ea09e9af10408bf
- SHA1
  
  2c2923750bcfa62b35c3f5ff30c41b7021bb3b2c
- SHA256
  
  732f723148b72727dac233138cfb937f9e4fe346a89dc10af3ace38ffadf46ab
- SHA512
  
  11c0b9e49f86db1e11ec614bc356d0cfb2b5c0fb0790ea3b1e9fdc47ee91d3addfcb783cf4a920898d1b8d941ee1c8a20ba8762216cbd56e0aae8d617d4e59a1
- SSDEEP
  
  3072:QQIURTXJFQY1YUYGYOWYYJYYYvSOYPDtRYc+OhM22:QsrkBV+522
Score

7^/10

discovery
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  acc2b699edfea5bf5aae45aba3a41e96
- SHA1
  
  d2accf4d494e43ceb2cff69abe4dd17147d29cc2
- SHA256
  
  168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
- SHA512
  
  e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
- SSDEEP
  
  96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX
Score

3^/10

discovery
behavioral11 behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12