remcos | 8b2666d4856f98b157dd705cc3a13f1c9203e432d841251528d31460968c89e8 | Triage

Sharing

General

Target

JaffaCakes118_8b2666d4856f98b157dd705cc3a13f1c9203e432d841251528d31460968c89e8
Size

1.4MB
Sample

241229-hn9w3awker
MD5

3702ff38924ec1cf5689b184d9988984
SHA1

c663d2c8351388ebd9195731b419f4c655739a2d
SHA256

8b2666d4856f98b157dd705cc3a13f1c9203e432d841251528d31460968c89e8
SHA512

15c4729e6431c22e0f022d6b5480aa5558ab7e0f6994d7d29704590ad10a8e92a2d79ecd0eb62df669c65e48a87d4ca9c36242a341d2c9f58ae87aff59ba58b5
SSDEEP

24576:7M6lNwTPvZHvkqfLLy9dJ+G9tRuJ77ftm1aBCY+YOTo5fW/lS3VW9rls3:QuN2sky9dYfftm1aYZtTo5fUlYVW963

Score

10^/10

remcos xred ff backdoor discovery persistence rat

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

ff

C2

64.44.139.178:7200

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-EQ1491
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  MUrCVpcnKl3TR9r.exe
- Size
  
  1.7MB
- MD5
  
  91988de4e4b2afd8a555630fa6cfdef7
- SHA1
  
  31c8e99d816f5df8ce8f152002405ba40257cdf6
- SHA256
  
  e0282af4b6dc2361d472e2c8bae5e3c54d4564400980ec27587300cf1b7464e0
- SHA512
  
  ae8314ff9a117e77db441050ca79ed297700140f9e5bd80592422f1e658b21b7defe322887facd668e42ae85d6418d72049d8a92349fe78f4ea3846f68ceaf60
- SSDEEP
  
  49152:shPfOrFw7mIYTVAh2nHFa1mvC8H+vef7+q7U:shPfOrrPTVLFatB8
Score

10^/10

remcos xred ff backdoor discovery persistence rat
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosxredffbackdoordiscoverypersistencerat

behavioral2

remcosxredbackdoordiscoverypersistencerat