remcos | 329eb8f2ecbea9a9cc0e9c84f5ba029a7c3f4f54d1bbbf8e09431318d4325610 | Triage

Sharing

General

Target

JaffaCakes118_329eb8f2ecbea9a9cc0e9c84f5ba029a7c3f4f54d1bbbf8e09431318d4325610
Size

1007KB
Sample

241229-j15njsxkby
MD5

cdb6474c1dcb8554b3ca4d059dad5e15
SHA1

e79c99f7a57693c60c65b78e21ac3b756fed583e
SHA256

329eb8f2ecbea9a9cc0e9c84f5ba029a7c3f4f54d1bbbf8e09431318d4325610
SHA512

91861069b1d3f2b5f6b90008664a7b70a39be2ca335c2f86b1001f92107bdda07e5605a0fd4af35d4b17370b7e4ab2a9a2dde328d4143a85b24f9ebda1a02720
SSDEEP

24576:TLzGNGo0N5ly8NTND8fsLgUuKiEpdw4LnGFvQEHj8Y8CK:TCumsLg9KiWdw4CdYh

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

79.134.225.7:2050

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-TTGDBF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  418cc2f738fc7f9ebdf659f04ad39c5cf02bb1ee9221955accbe5357a7a6ca63
- Size
  
  1.3MB
- MD5
  
  349d827857cd2dc23fb06077d246f9ea
- SHA1
  
  78ee20b8ec3ba85a2181f25ea896b6fa99c4302f
- SHA256
  
  418cc2f738fc7f9ebdf659f04ad39c5cf02bb1ee9221955accbe5357a7a6ca63
- SHA512
  
  ab9a1f0fbd030acd105cc3045b4bae667a8b26aa66c30504f9201ad9361697d1e2a133b7f6d2d78f09fcdc0e2783459efdaa41636a94d1f6b42bab546aeeabee
- SSDEEP
  
  24576:DcKOYIFAIu83P3+qKaIbEnR6OJIQoJfZp63sQubuMrZzeG2:dO97ROqKaZdIQolL63jcTze/
Score

10^/10

remcos remotehost discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoverypersistencerat

behavioral2

remcosremotehostdiscoverypersistencerat