remcos | 21831de43575b5f0884692b4a1cdf0c3afbbe3249e9662519941c467d648db55 | Triage

Sharing

General

Target

JaffaCakes118_21831de43575b5f0884692b4a1cdf0c3afbbe3249e9662519941c467d648db55
Size

267KB
Sample

241229-dhbpvs1jbr
MD5

c6473ecbb93b064b39c6f09729b82b4b
SHA1

631f326eaf229d2008eac822aab385f82aa2341b
SHA256

21831de43575b5f0884692b4a1cdf0c3afbbe3249e9662519941c467d648db55
SHA512

5b28614170671fcba38ca4fb7e3bc7a36841e83cdab074c90a3cec75b46f51e7b800d22de098b043f01957576ca799740c1752d14b2952c743861e8268bc60e3
SSDEEP

6144:ug5HfuMIajE2/mEejnoSgc+qxCSXDTOjHA0LZXXhRFZfy:xJE4TejoSgrgC5jFLZXXhRFZK

Score

10^/10

remcos temmer-marbles discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

TEMMER-MARBLES

C2

www.stellionlab.com:5004

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-BRE55N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  91c4e3f799e541b7b5b770172628b7310c48c0da8b8f73c1239b24d9b39f2815
- Size
  
  34.0MB
- MD5
  
  246f3cc2b81de718feebdff2bea43a79
- SHA1
  
  9c11fcc7bf3d676f1446eac8931022ae86a5e83e
- SHA256
  
  91c4e3f799e541b7b5b770172628b7310c48c0da8b8f73c1239b24d9b39f2815
- SHA512
  
  3c48b88e116127cde459ae5adcc82f33874badb694a7596ee52772e26edcfc37387f30ef49b7f147537108457f268e769be9eb4003638d62d181257e9b426ff8
- SSDEEP
  
  6144:BMb3M3dJE65qnh2DxwA8E4TF6tuCPpbMsgLB3B4JZEHteUK+Jv7UtH5:E3565qWiVAtuCPpbhgN3RH0UKc4t
Score

10^/10

remcos temmer-marbles discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcostemmer-marblesdiscoverypersistencerat

behavioral2

remcostemmer-marblesdiscoverypersistencerat