remcos | 27e9c5e774bf0946e99a7f34d14ded33ca1c236765fbcfda83e234d70d15c652 | Triage

Sharing

General

Target

Purchase Order.exe
Size

1.1MB
Sample

250129-pg6pdswkap
MD5

d5261204d9c158b2bab4272f89f7df17
SHA1

11d82d35d6d5ef250b9cedf4d1f7cd98c0246546
SHA256

27e9c5e774bf0946e99a7f34d14ded33ca1c236765fbcfda83e234d70d15c652
SHA512

2710b22611fca8f90c38c715755a4ec34eec2fd176df45c68c4712d6a5b2803643f09bc05d9d08eb2981f4985355e4d1259eb7a42c8766aabc3f9f1badef4564
SSDEEP

24576:bzls/WgXN832qWivcsegk5vQ2F+wK9ADZyM6RGk:YN832q7vwrQW+wYl

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

2.58.56.182:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GM05WY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Purchase Order.exe
- Size
  
  1.1MB
- MD5
  
  d5261204d9c158b2bab4272f89f7df17
- SHA1
  
  11d82d35d6d5ef250b9cedf4d1f7cd98c0246546
- SHA256
  
  27e9c5e774bf0946e99a7f34d14ded33ca1c236765fbcfda83e234d70d15c652
- SHA512
  
  2710b22611fca8f90c38c715755a4ec34eec2fd176df45c68c4712d6a5b2803643f09bc05d9d08eb2981f4985355e4d1259eb7a42c8766aabc3f9f1badef4564
- SSDEEP
  
  24576:bzls/WgXN832qWivcsegk5vQ2F+wK9ADZyM6RGk:YN832q7vwrQW+wYl
Score

10^/10

discovery execution remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosremotehostdiscoveryexecutionrat