remcos | 3927e9bf483943765d06f52b5da3e3ec5fbc2ac7db70be5c863f38765427d8f6 | Triage

Sharing

General

Target

toolSync_v1.7z
Size

2.3MB
Sample

250109-pt42bsskbr
MD5

b2e7c77181d8ed1dbae5dcd86d53d4f0
SHA1

2170dc4382ad2f5b733ac6731193a1f07503cc5b
SHA256

3927e9bf483943765d06f52b5da3e3ec5fbc2ac7db70be5c863f38765427d8f6
SHA512

53236bdc60f2c038d56aa7d0f6d06de6026b219a4610185994f5ffb16669232c8839490fd527504e2c3d0ff8588b656cbd874eb1d9244860e5c8ca7c9e1f708f
SSDEEP

49152:I6tyqjCEbNQ2khFZZc71ZCHI1lEOZOFp/3sEWij3XesIHu3:IQbeHfc2ClEUksErjHhIO3

Score

10^/10

remcos 5005 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

5005

C2

92.255.85.63:5005

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6TENMT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  toolSync_v1/agitator.asp
- Size
  
  947KB
- MD5
  
  f235ee7a69eb63d209526641e146fbfb
- SHA1
  
  a93ae672d8b21f0cac0652c5ed1b098ffa791b77
- SHA256
  
  bf2203ae2b727f3c4f63a46ab9d5beac1189de6b9d4db641b5965c1027596337
- SHA512
  
  56d851567016419274e93a35dce2c8d8807f07530e9248c9b3c30be5ee0fb5f39e935ccff653d16a360866f8b4aff59a07070dcf19202f59ad722a0f53e0c1de
- SSDEEP
  
  24576:WtWCnLLuj8zh1e5JDNz1neaisRwY4xIuFXrIjueaRe1gUnPFuQOOBpDMv6U:W0SLf9WzneaisRwY4WuVrjeaRSPcQOoE
Score

3^/10
behavioral1 behavioral2 behavioral3
- Target
  
  toolSync_v1/buzzard.jpg
- Size
  
  56KB
- MD5
  
  b5b479dd84c8465723f62d9bfa890a8e
- SHA1
  
  ade400a8ccb15678705b269862acf350a61c58b4
- SHA256
  
  dafeebfa6e92322d2966652d1950dee45d686f3b13051ef889a67e7014906136
- SHA512
  
  4384800fd6868efaf0e4f5a4796efebb4c6264ccd42e60a256e73fa9fec0724ef796b8030ee897f699927af67e83e0e40350e461cb3d69f102536291faf18ae5
- SSDEEP
  
  768:UxmDrucZ93TZTIt49IWxHzlWeUe6O0DoTKBC5AKHoBCRocGmrFznaW0YU458xjW7:UtcH3TtIYIWxBaSHi4jeW0/458IHdH
Score

3^/10
behavioral4 behavioral5 behavioral6
- Target
  
  toolSync_v1/madHcCtrl.exe
- Size
  
  3.1MB
- MD5
  
  b841d408448f2a07f308ced1589e7673
- SHA1
  
  f5b5095c0ed69d42110df6d39810d12b1fa32a1e
- SHA256
  
  69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699
- SHA512
  
  a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93
- SSDEEP
  
  49152:pvFg5qg9BtIAHE3SM4ahx6LK2SamuZob+tCjNrv8:Jm5qGBHBLRKuZfkjNrv8
Score

10^/10

remcos 5005 discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of SetThreadContext
behavioral7 behavioral8 behavioral9
- Target
  
  toolSync_v1/madHcNet32.dll
- Size
  
  894KB
- MD5
  
  041d41db569d4bbe764df2586205027e
- SHA1
  
  ea36c581a456fa55694df4a0748ca6e3795dca2b
- SHA256
  
  76dd9f6acbd1104458bcfc216c32e4f8d4de7ae63bbaf01412bd9aa545c4ed59
- SHA512
  
  661dea5145d31ce15fae23a1c2c4591e743a8528bd4eac6a426bf7fad12b4d2aaea01d69d71fbdadbc8d45d4485e94df1f68af1c5a489cf92893c54f2fe6cd83
- SSDEEP
  
  24576:wlUbWq3/gquYUJ4Vgv0eUnDaE0bOxf/T9:wUR4quYUJ4VgceXE0Cxfr
Score

3^/10

discovery
behavioral10 behavioral11 behavioral12
- Target
  
  toolSync_v1/mvrSettings32.dll
- Size
  
  1.0MB
- MD5
  
  d168f18b79f9f33690f011d1deb1e7cf
- SHA1
  
  cf0d984ce101ec274e65e88fae07daeb26de5a6d
- SHA256
  
  b7d3bc460a17e1b43c9ff09786e44ea4033710538bdb539400b55e5b80d0b338
- SHA512
  
  bbf085bcbc3c1c98caba95bdf48051bac18bbd1b7314c7bb55b56e3d423fb34758cc239c237091486cc466123bf02844eaac3b4435cb535af25dc2bca625af71
- SSDEEP
  
  12288:1wsE8YWuTCipwKm3ZCdX+y0Cg57ZrVmK5UhYX5NN/u3ZeEb+LJkguVl1Y1e:XIWuFKKVuig5jZ5xX5P2bKyguJf
Score

3^/10

discovery
behavioral13 behavioral14 behavioral15
- Target
  
  toolSync_v1/unrar.dll
- Size
  
  304KB
- MD5
  
  851c9e8ce9f94457cc36b66678f52494
- SHA1
  
  40abd38c4843ce33052916904c86df8aab1f1713
- SHA256
  
  0891edb0cc1c0208af2e4bc65d6b5a7160642f89fd4b4dc321f79d2b5dfc2dcc
- SHA512
  
  cdf62a7f7bb7a6d511555c492932e9bcf18183c64d4107cd836de1741f41ac304bd6ed553fd868b442eaf5da33198e4900e670cd5ae180d534d2bd56b42d6664
- SSDEEP
  
  6144:e2Gk6wDaKov/5qrawOZI8uN0f/UVvN3MwdZFmiVFC+OEu:e2GkNo35qrawqmG/yM8PmiO+Ol
Score

3^/10

discovery
behavioral16 behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

remcos5005discoveryrat

behavioral8

remcos5005discoveryrat

behavioral9

remcos5005discoveryrat

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18