remcos | f4c4aff15e7db3e69cdcd1449f6a020ff0418b50303135593e9ce14b5f556cd7 | Triage

Sharing

General

Target

RemotePCPrinter.exe_pw_infected.zip
Size

2.3MB
Sample

250109-rye9waskft
MD5

79023d258a234faa6f541815bdef27b7
SHA1

6d92e2d460bef939e83ce189b2bf84d883d76405
SHA256

f4c4aff15e7db3e69cdcd1449f6a020ff0418b50303135593e9ce14b5f556cd7
SHA512

5cbd87218633e59f40decfe3647b8a89dca1c566ec8899cd5a1ff4adf21d5a3076782468a26422c1e3e710c1b0a17136f1ee582b3910e0d7b069c6c432e46598
SSDEEP

49152:ee74CSzmLmMaNaJh8VL0WGXSZcmyRiX+2ogb7Sqj9I:NTEou9aSZ6W7SqK

Score

10^/10

remcos gozo discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

gozo

C2

newstaticfreepoint24.ddns-ip.net:30201

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
data
mouse_option
false
mutex
lmajjdnchhdybagtqbsjsjdjjskshs-PPNSD0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0x0025000000046617-2188
- Size
  
  915.2MB
- MD5
  
  a084c1b14eefc00c8adf95faba838f71
- SHA1
  
  2cc59b80e92d1e5facebbd3646b0ec2972e994d0
- SHA256
  
  b0154e35bd08a554b64f0ec61cb1c2fe766c96f2ad56124851fbb46a7a4d67bf
- SHA512
  
  68e4c0d09fa1fb18c6726cc1f51e37584a746543bb3498fbd6775a7e3505a6a36986c7ccfe212d40cce10588ddf76e5b707181ce545dc5e17fc37728041e395c
- SSDEEP
  
  24576:2UX4dOOOjXBaykZ+1X80ikrNL2dOOONUu8T2GhOOPiE3OAHwnBqk38wAyBnaAqmX:vIdKRDXlrNadfTXPR31QnBz38wAkaAk
Score

10^/10

discovery persistence remcos gozo rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Downloads MZ/PE file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

remcosgozodiscoverypersistencerat