remcos | 30fb134992208f5e411d9586d20c4de6eaf18799a898c88ffbea4ae4584fb309 | Triage

Sharing

General

Target

JaffaCakes118_30fb134992208f5e411d9586d20c4de6eaf18799a898c88ffbea4ae4584fb309
Size

502KB
Sample

241229-m4l76azmdq
MD5

264d09a00397f5844f1d0e94f593de67
SHA1

c2a87df00233d7b82d1ef049a63b68c0c7e3bf0c
SHA256

30fb134992208f5e411d9586d20c4de6eaf18799a898c88ffbea4ae4584fb309
SHA512

f66881e3114c07d0fb9f9d802065cdd1b6a7871d83841e60cb5ca6b8737f0ace946e983e71a76baf68bf70c94535ccc952ba0e8a8787b820d9195a7aa71b4f2b
SSDEEP

12288:aC4HoEzMxAnL2VGNQGlmEqC9/3r3P0I3x9EKT:M4x8a8eGlVVb73xWKT

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

wealthambassador.ddns.net:39450

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-S77937
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
- Size
  
  599KB
- MD5
  
  bb662e82e04ac3c7866cba446c15ccae
- SHA1
  
  1b90f8f280d5d90c771aa0afe393b29c4ab8e2c1
- SHA256
  
  c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
- SHA512
  
  444aae4807df3be896177f1b039196387cdd9024b3f8051af7fb1ef9918ec7a9c9446c478f45f9fc8df2c0f6479807c68a612ef9e14ed521d615337efd4372d4
- SSDEEP
  
  12288:8oIzAxAjLyVG/QGlGwqC5/3z3P4I3xJRKY:EExM+8IGlThD33xjKY
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  ftmpfyzcha.exe
- Size
  
  120KB
- MD5
  
  0b9c734942a35a6960bb3222a2aa3e47
- SHA1
  
  31edcd3b02af420e4b25a3eba0f77ea820d13e75
- SHA256
  
  f9ed31df479d80626e3834b0d9d11b5e2815b6704973736f324c055c99a6adcf
- SHA512
  
  e880062dd3de2a18566e47d279b67af82abf88d52380e55c8a43a20cae90f1f9b1a99bba67df40cc5d6578bb3729c43a8fd48d8fd8531c131d95a55cfc262c5d
- SSDEEP
  
  1536:bYraTSjiYFwlvwVC1TsJ66zafChiC+/WGvyDezXw8MGcc8o4D/0sWjcdiG36Dmd:cjFwlvweI8kaZ9eGv92oy7iG36DK
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryrat

behavioral2

behavioral3

behavioral4