remcos | ecda47981df58b45e0c3ff4271613a55f5134ef9acf5d041fcca8b49ddbc9ee7 | Triage

Sharing

General

Target

JaffaCakes118_ecda47981df58b45e0c3ff4271613a55f5134ef9acf5d041fcca8b49ddbc9ee7
Size

249KB
Sample

241229-k3v3kaxrej
MD5

c0e149cb066675605cb1d397ad43726f
SHA1

d06c9907b16298d7557f455b25d9f7080bbf0d33
SHA256

ecda47981df58b45e0c3ff4271613a55f5134ef9acf5d041fcca8b49ddbc9ee7
SHA512

3865eefcfb7e7fa750b0410aef6303b1564115a4c0b41c910b231346a3b5c4c421acfced11d203508e590e95e5a4654c460161431d0fbd9999226e7f6454418b
SSDEEP

6144:9m9gOPdvC0FWgduKsbWYcwpc0Ie1OnZb75ui/iazuSVVzPkl:s9gQv2IKCwq75uiPzXk

Score

10^/10

remcos new-files discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

NEW-FILES

C2

www.kesaihk.com:5004

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-M95371
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  17e9d52b94e1a65fc82877895556c7bcc1087c442b146ef7d5ccfe1ce14f3ed6
- Size
  
  917KB
- MD5
  
  41c5accc5d18ccfc53abd3bd9a0cd4fb
- SHA1
  
  4d31540eb9d0e978b3692e253c2f5ddd42cfe77a
- SHA256
  
  17e9d52b94e1a65fc82877895556c7bcc1087c442b146ef7d5ccfe1ce14f3ed6
- SHA512
  
  338efad9b6ed7352c04f3b12e7a41f24aa42e643b9bd58e97f6a8d010c4197614787dbf1a2626ff240823ac085090219e99fa36402de1ff77165dc65c023cb7f
- SSDEEP
  
  12288:zT9NjqguOyNcpLiFxXbhc9JhWc1wOKS8oh:lAHPsh
Score

10^/10

remcos new-files discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosnew-filesdiscoverypersistencerat

behavioral2

remcosnew-filesdiscoverypersistencerat