remcos | 99da4f8d4791d9ce9f5bd739c63773bc14f19e971b825a80458a0e748a688da8 | Triage

Sharing

General

Target

09012025_1051_NOTIFICACION JURIDICA.zip
Size

29KB
Sample

250109-mxzvnszncj
MD5

9449875010a68df30e45fb4785ed8f5f
SHA1

75c64d72a7341a74ebdf190efdeecb2104943806
SHA256

99da4f8d4791d9ce9f5bd739c63773bc14f19e971b825a80458a0e748a688da8
SHA512

1b6aec7b06eb3bbaee8bee2cdf2dd0bcdbcc2c9476c1e7b6f09a87cae7b078f9864017af32418ea133967ef50e49b45479726b768975d18d24954299a3875ee2
SSDEEP

768:ak62/llm6yUDEB2WpfZH/4kMVfJQlTHPz2GC:EAyz/B2WpxQzfCvqf

Score

10^/10

remcos 2025 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

2025

C2

masterrechargeel.kozow.com:6565

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FI6YA9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  NOTIFICACION JURIDICA/NOTIFICACION JURIDICA FISCAL POR ABUSO DE CONFIANZA.js
- Size
  
  3.7MB
- MD5
  
  227a0b4511190f239ad8a6f1ec17bf4d
- SHA1
  
  d431266d6bf66c619f8b0f7e5cd8df04cdd24bf2
- SHA256
  
  c65ee21bdb16755d9ccb650e501f9f4af4ce795347c91b3645ffa71965412a5f
- SHA512
  
  338fd098c94625589547fdc50b126a5c95595fbc5f379c6a3ca9d646f35d4f002eb4c01be0fd7f48ebecbbcfb8ac7d2775dcfb6ee48abbfe79da61490538c29b
- SSDEEP
  
  384:TnLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLD:PvvvvvvvvvvvvvvvvvvD
Score

10^/10

execution remcos 2025 discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcos2025discoveryexecutionrat