remcos | b9c27330ed8eae02a918901435a2d1f98ee20cb2390d9f69fc45a043f2009a5b | Triage

Sharing

General

Target

msword1.zip
Size

3.3MB
Sample

250107-l43dpswnhs
MD5

ef2620f66230219a51a6c2055066c3c3
SHA1

394657c478086158830be943c09630488be56366
SHA256

b9c27330ed8eae02a918901435a2d1f98ee20cb2390d9f69fc45a043f2009a5b
SHA512

c20357671e243aad4a68251a6c49ec9bd69fbfbef104bd73ca6903003d558159c2b5417924cc6228fbb5a8750fe3f24246c8a7686a823e27e7db80eae351023a
SSDEEP

49152:BZH8MW3UdWJhVmT6CpvDjgYDlw0kr1LKEKNoCo:/H8ZZvVopvgYD/kJLKEqu

Score

10^/10

remcos 2024 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

2024

C2

me-work.com:7009

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LOARC0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  msword.exe
- Size
  
  500.0MB
- MD5
  
  6bcf42715fd1768fe1013c702612d0ee
- SHA1
  
  d7affe603f5d7bbca046aa4ab26bfa458c30c348
- SHA256
  
  71a2295583db11053ac6d0a6770199352bc2f549212548d362e56258ee1cdd50
- SHA512
  
  e749b377c6b19bf8fc42c06fef9a81024e66b190439260f7a7474eeed8a78e2fa2ea56614aceb37110ac4aba2772fdb144965cf99e091efb39d444daa2da839f
- SSDEEP
  
  49152:MVgNiAinrcTVQO6kpZJpe8bMBckBTL26otm:MV8ifArpZy8bVkVL26km
Score

10^/10

remcos 2024 discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcos2024discoveryrat

behavioral2

remcos2024discoveryrat