remcos | 97495c8622198ded0c7900667e021c4d1aaac9e1ce7ed8c7bc3b213644304b98 | Triage

Sharing

General

Target

97495c8622198ded0c7900667e021c4d1aaac9e1ce7ed8c7bc3b213644304b98
Size

482KB
Sample

250113-d6nz4atnhv
MD5

e61d35b4c0deb8fecc6433b5a7428de7
SHA1

0775f95b8987295db7dabef76f5a248bd667a1d6
SHA256

97495c8622198ded0c7900667e021c4d1aaac9e1ce7ed8c7bc3b213644304b98
SHA512

432086fcc5cef2eb1c4df51a753ede7a352488e58ad2e956a47815580794da2aa941f68bdb826bb3031d15bae110f7d8b4f982e9e9cb1be2fcf298e24d16e077
SSDEEP

12288:x13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQ1S:jak/mBXTV/R0nEF76gFZi

Score

10^/10

remcos winslogon discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

winslogon

C2

194.180.48.18:45265

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
winslogon.exe
copy_folder
winslogon
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
winslogon
keylog_path
%AppData%
mouse_option
false
mutex
winslogon-BNBAGB
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
true
take_screenshot_time
60
take_screenshot_title
pay;money;wallet;dashboard;notpad;password;login;user;payment;signin;crypto;metamask;bitcoin;secret;phrase;seed;seedphrase

Targets

- Target
  
  97495c8622198ded0c7900667e021c4d1aaac9e1ce7ed8c7bc3b213644304b98
- Size
  
  482KB
- MD5
  
  e61d35b4c0deb8fecc6433b5a7428de7
- SHA1
  
  0775f95b8987295db7dabef76f5a248bd667a1d6
- SHA256
  
  97495c8622198ded0c7900667e021c4d1aaac9e1ce7ed8c7bc3b213644304b98
- SHA512
  
  432086fcc5cef2eb1c4df51a753ede7a352488e58ad2e956a47815580794da2aa941f68bdb826bb3031d15bae110f7d8b4f982e9e9cb1be2fcf298e24d16e077
- SSDEEP
  
  12288:x13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQ1S:jak/mBXTV/R0nEF76gFZi
Score

10^/10

remcos winslogon discovery evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

winslogonremcos

behavioral1

remcoswinslogondiscoveryevasionpersistencerattrojan

behavioral2

remcoswinslogondiscoveryevasionpersistencerattrojan