remcos | e5f2879072cdd3e4905f5fa8017be818d2c61f718d0fd322196e9cd54062ba4a | Triage

Sharing

General

Target

1111.hta
Size

2KB
Sample

250103-ptwd7axkbn
MD5

91b57eb5e0925c7522374b0c64902dfd
SHA1

437da5eb27efeb38a9b7f804066205964a345a33
SHA256

e5f2879072cdd3e4905f5fa8017be818d2c61f718d0fd322196e9cd54062ba4a
SHA512

68dc36ae7ba35fb736677a7b179cfdea7b93ff7cb95ea27ffec9bde61cfc3358148cb612a33450b2b5ce452bf47077a8ed6e6d5b497e027b05415a89ec5b76f4

Score

10^/10

remcos hello world!discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/docspaceplace/test2/downloads/1.exe

Extracted

Family

remcos

Botnet

Hello World!

C2

46.175.167.116:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Realtek Driver.exe
copy_folder
Realtek Audio
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Realtek Audio-J15M0S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1111.hta
- Size
  
  2KB
- MD5
  
  91b57eb5e0925c7522374b0c64902dfd
- SHA1
  
  437da5eb27efeb38a9b7f804066205964a345a33
- SHA256
  
  e5f2879072cdd3e4905f5fa8017be818d2c61f718d0fd322196e9cd54062ba4a
- SHA512
  
  68dc36ae7ba35fb736677a7b179cfdea7b93ff7cb95ea27ffec9bde61cfc3358148cb612a33450b2b5ce452bf47077a8ed6e6d5b497e027b05415a89ec5b76f4
Score

10^/10

discovery execution remcos hello world!persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcoshello world!discoveryexecutionpersistencerat