remcos | 6704e5c8b340f0b22b506d04e5b61317fa2cccb7138c270a5c3c6c26646a96a4 | Triage

Sharing

General

Target

30122024_1123_30122024_Quotation.Gz
Size

897KB
Sample

241230-nhlvyavmem
MD5

15b60bc1454b53c7220e447482998943
SHA1

e94dddde1b90850ae4a6f152cce35e10f811c113
SHA256

6704e5c8b340f0b22b506d04e5b61317fa2cccb7138c270a5c3c6c26646a96a4
SHA512

3d28b58827bac0a11621ec2926cdd1ad033a67fe7a8f0421cea9d66cc1c6a26cc25ed5e34bec07d1dd45498ecb98550d41829f4ce4b5bfa5cbef3e1836d2bf9c
SSDEEP

24576:mTpFZfHDclGjLccTGwqdc2MOIdPh7aAi88AuPKCnuCZr:mzZfHtckqdc2MOcaTA6rx

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.241.208.87:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7DRXD9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Quotation.exe
- Size
  
  958KB
- MD5
  
  56bf061d982087efb8e2df5789da93db
- SHA1
  
  ad6a49a4dd091fc78f8d5f09d8b2b82b39ef3670
- SHA256
  
  3129730bf6dd9fe71cb30b1ed34ba03b44ab76a820fec8a83cf08c6acce09a56
- SHA512
  
  81cb03129a789907001eb4fd2c4c4a2db4a5ba742ac8f90750b127283b83c1747760a5c4220a39a2bcc59e570d2fe913e2ec7fb7662fe501703a4d5679750523
- SSDEEP
  
  24576:vzraQlDkENJ0aElSCubzae03sA3nD/uRYy:3aUoENJelSlae08A3nTuuy
Score

10^/10

remcos remotehost discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionrat

behavioral2

remcosremotehostdiscoveryexecutionrat