remcos | 90f942f51ff947d5b8aa4525284e6748845942cfa06df735718cd171d8ced7b9 | Triage

Sharing

General

Target

JaffaCakes118_90f942f51ff947d5b8aa4525284e6748845942cfa06df735718cd171d8ced7b9
Size

40KB
Sample

241225-y4skqawphk
MD5

bd424319f9a69b8470c7eba413c7d4ed
SHA1

77da16f4b5e9cc8f1d0f8a33be4790724de2c045
SHA256

90f942f51ff947d5b8aa4525284e6748845942cfa06df735718cd171d8ced7b9
SHA512

5506cfa89d12be9f422c6c35da48c6849158b639c3c6f55d823cd745a6d56c4d1d48e822092f81caa6d066e3674bc25cd05e06b5b8f240a915d2a911a47ea15b
SSDEEP

768:0sLgT0f16TUC/ukYXxJ8iqkL0GJPCL6lEBlZQIjs2KAtGmKMeUZRHXa:9LgTc1+7Ux+VkLYLwqlZns2KS2iRHXa

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

192.168.18:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_chsymxgtedierig
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  71220a7a9e387222473fc47682fb621e542210d5779e1d2df98c115d19a44480
- Size
  
  92KB
- MD5
  
  d1d18f29a568419387624392f19246ca
- SHA1
  
  7d4163da511178566bdf49bf413b50096417bb98
- SHA256
  
  71220a7a9e387222473fc47682fb621e542210d5779e1d2df98c115d19a44480
- SHA512
  
  402104d53273f9471af148e513a47a4c2bc4b4e87d658eab5e96ce226c948dea102a12d49725a77b56bfbc95be5eec729f4694d7ff5ea49a50e6bc5b47e8d369
- SSDEEP
  
  1536:YhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6kr9:+hzYTGWVvJ8f2v1TbPzuMsIFSHNThy+R
Score

10^/10

remcos host discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoshostdiscoverypersistencerat

behavioral2

remcoshostdiscoverypersistencerat