remcos | 4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7 | Triage

Sharing

General

Target

4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7
Size

1.3MB
Sample

250121-a17ngaxndv
MD5

3b921ff1f40f6c6182e84a476152aaf3
SHA1

19db03733444cca5868939074c002de3d4b10948
SHA256

4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7
SHA512

2546f5d93d5e9a87416d880cad06a95275a9c441aef6481f5fd74cba8ecfe45d29c4486f2593f9567d5aa3e3d88eeaaf89b15f26da31f91cf869cfdb303c7ccc
SSDEEP

24576:V5ZWs+OZVEWry8AFaxtFyar0HteJyUt/1T7fQlbNW6AVDnSwRC4envs:jZB1G8YYFyaQW/1v4QnSwRC4Uvs

Score

10^/10

remcos ��s�÷d discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

��s�÷d

C2

190.6.65.2:25158

microsoft.bnctechnology.space:36546

microsoft.bnctechnology.space:541

Attributes

audio_folder
?§J?°Û¤ù
audio_record_time
5
connect_delay
60
connect_interval
60
copy_file
Virtual.exe
copy_folder
Oracle
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%Temp%
keylog_crypt
true
keylog_file
Microsofts.dat
keylog_flag
false
keylog_folder
Microsoft
mouse_option
false
mutex
juyrkrgj-UGC846
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
ºI?
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7
- Size
  
  1.3MB
- MD5
  
  3b921ff1f40f6c6182e84a476152aaf3
- SHA1
  
  19db03733444cca5868939074c002de3d4b10948
- SHA256
  
  4e31114ffd1000c0242b7537d6329641dc0457dcd6590c57659326a1785ce2f7
- SHA512
  
  2546f5d93d5e9a87416d880cad06a95275a9c441aef6481f5fd74cba8ecfe45d29c4486f2593f9567d5aa3e3d88eeaaf89b15f26da31f91cf869cfdb303c7ccc
- SSDEEP
  
  24576:V5ZWs+OZVEWry8AFaxtFyar0HteJyUt/1T7fQlbNW6AVDnSwRC4envs:jZB1G8YYFyaQW/1v4QnSwRC4Uvs
Score

10^/10

remcos ��s�÷d discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcos��s�÷ddiscoverypersistencerat

behavioral2

remcos��s�÷ddiscoverypersistencerat