remcos | e6d5495df143ab691fe58e9e05453c1bf8342ace37e4a7dd1a550d7afe640fd0 | Triage

Sharing

General

Target

JaffaCakes118_e6d5495df143ab691fe58e9e05453c1bf8342ace37e4a7dd1a550d7afe640fd0
Size

801.5MB
Sample

241225-g5lp5azmes
MD5

2b9277603e1db2622f9e3271d01d0caf
SHA1

00106fabb9c8ab767821b32b6346ffffef485aaf
SHA256

e6d5495df143ab691fe58e9e05453c1bf8342ace37e4a7dd1a550d7afe640fd0
SHA512

cc4d093538773cffea41cabf85df5a4589331fc2bf478ef96faeb1f74e35db0b95d847ac9413ff19f08e31fcc7d4c81351bd611e52792bb10cfe798c1553bf0f
SSDEEP

24576:/pBtKkpXwKPHp0EVWnqMKMklXZ8N7Y5jQoLOnrq/aCVXcA:9TdvMKMklXSN7YDOrqyCVXv

Score

10^/10

remcos thorami-v5 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

thorami-v5

C2

rlbotz.duckdns.org:2404

80.76.51.46:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
update.exe
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
furog.dat
keylog_flag
false
mouse_option
false
mutex
Rvhugures-AM08A0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
nupdat
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  JaffaCakes118_e6d5495df143ab691fe58e9e05453c1bf8342ace37e4a7dd1a550d7afe640fd0
- Size
  
  801.5MB
- MD5
  
  2b9277603e1db2622f9e3271d01d0caf
- SHA1
  
  00106fabb9c8ab767821b32b6346ffffef485aaf
- SHA256
  
  e6d5495df143ab691fe58e9e05453c1bf8342ace37e4a7dd1a550d7afe640fd0
- SHA512
  
  cc4d093538773cffea41cabf85df5a4589331fc2bf478ef96faeb1f74e35db0b95d847ac9413ff19f08e31fcc7d4c81351bd611e52792bb10cfe798c1553bf0f
- SSDEEP
  
  24576:/pBtKkpXwKPHp0EVWnqMKMklXZ8N7Y5jQoLOnrq/aCVXcA:9TdvMKMklXSN7YDOrqyCVXv
Score

10^/10

remcos thorami-v5 discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosthorami-v5discoveryrat

behavioral2

remcosthorami-v5discoveryrat