remcos | a9fc803f335632186421fa99723dcf6025f6dc29c1bc6f2a36ee2d120920a842 | Triage

Sharing

General

Target

JaffaCakes118_a9fc803f335632186421fa99723dcf6025f6dc29c1bc6f2a36ee2d120920a842
Size

216KB
Sample

241229-f5t6tstngz
MD5

1ae62d83952e7f4fbe64966711dc1547
SHA1

a4ef1a3f456aeb29f2a6910d2cba6b77553135ac
SHA256

a9fc803f335632186421fa99723dcf6025f6dc29c1bc6f2a36ee2d120920a842
SHA512

239be56c90676f0a062535b062f41566da1ebb033b076d87545740da7f60b5aa4eb1a1568ac91e1bf90229f36be32da303819fd29c4bf407b72d118210038304
SSDEEP

6144:hP46eAKjlqScrRk00t3tXdzoJLiXeL01vF0wcPp:26hKQScrRd0xzoJ2XeL01eHp

Score

10^/10

remcos new discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

NEW

C2

insidelife1.ddns.net:2123

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-FXFW4N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  9073782912,pdf.exe
- Size
  
  362KB
- MD5
  
  a7fcbd96b8a0db116079de4ea0e996d6
- SHA1
  
  890e3cc679fbd6e7ab63153e19d3cadfedd6cee0
- SHA256
  
  173c70809b04f14f357dde36d17bd02b075dcfdecf0e8cc5c69fb4266e452bb7
- SHA512
  
  e9cba770b543daf9c90e856a476aac1c44ea6f892b62ae31ea7c9fb565f7f7f4cee8ef430cf8fa8bd3b995b5a15af063b53d0e963d4c7630111ca37674547b9f
- SSDEEP
  
  6144:QBlL/UyTeiB0PJo3zzj9XJkhtXyofdY4Z2M7b2Y2TTzp1K:iDnfj9XmLJbZ2M7b27jK
Score

10^/10

remcos new discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  10KB
- MD5
  
  56a321bd011112ec5d8a32b2f6fd3231
- SHA1
  
  df20e3a35a1636de64df5290ae5e4e7572447f78
- SHA256
  
  bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
- SHA512
  
  5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
- SSDEEP
  
  192:uv+cJZE61KRWJQO6tFiUdK7ckK4k7l1XRBm0w+NiHi1GSJ:uf6rtFRduQ1W+fG8
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/c163.dll
- Size
  
  149KB
- MD5
  
  ff92e869d01daa3746d2cec2646ad093
- SHA1
  
  8550d250841652780bc92379fadf5a39244bc64e
- SHA256
  
  af33fde8b5a9f218f92278d6c1c17e91624242262fa65e9a770fb81b14b42bb4
- SHA512
  
  9899011426347267a98ca13c5dda0f20a3d9976e33c0be4aa21d4bfc656d094088403bf9cfb6f443efb4b24748b207a6af0f723bebfc7209baff334cdba16cdb
- SSDEEP
  
  3072:+xH0psiSorXyEpuxm/RyCcVAO91YaU5UM7eOFB8MrzItMyq/SB59Hnlf:5pHSmpuxm/RyCcVAOsa87/B8agMySArx
Score

10^/10

remcos new discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosnewdiscoveryrat

behavioral2

behavioral3

behavioral4

behavioral5

remcosnewdiscoveryrat

behavioral6

remcosnewdiscoveryrat