remcos

Resubmissions

25-01-2025 09:39

250125-lmqctaymal 7

25-01-2025 09:10

250125-k5g9gsxnhq 10

25-01-2025 09:08

250125-k3v3kawlet 3

25-01-2025 09:05

250125-k2c6csxmfk 10

Sharing

Copy URL

Twitter E-mail

General

Target

707a92f8be7ef3e0fd8575d9541ca1181b9fb3f1822f27640114c7e69261b660N.exe
Size

140KB
Sample

250125-k2c6csxmfk
MD5

5575ea822efee57068636d5d234e7cd0
SHA1

a02d06be42fc19206663a5beb8fbd90634c7f09d
SHA256

707a92f8be7ef3e0fd8575d9541ca1181b9fb3f1822f27640114c7e69261b660
SHA512

4c08e62df1d7ed2b119f74ba130755f6c524058866669c956ad27c17a4bff530349b20febddcc289067ba8e592fa257b8bc45d3c0fbbd7be60825e54ede6238c
SSDEEP

3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXhIHVSYK:xP6/M+WLckOBhVmIYPK

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  707a92f8be7ef3e0fd8575d9541ca1181b9fb3f1822f27640114c7e69261b660N.exe
- Size
  
  140KB
- MD5
  
  5575ea822efee57068636d5d234e7cd0
- SHA1
  
  a02d06be42fc19206663a5beb8fbd90634c7f09d
- SHA256
  
  707a92f8be7ef3e0fd8575d9541ca1181b9fb3f1822f27640114c7e69261b660
- SHA512
  
  4c08e62df1d7ed2b119f74ba130755f6c524058866669c956ad27c17a4bff530349b20febddcc289067ba8e592fa257b8bc45d3c0fbbd7be60825e54ede6238c
- SSDEEP
  
  3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXhIHVSYK:xP6/M+WLckOBhVmIYPK
Score

10^/10

remcos host discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2