remcos

General

Target

871f18d099c9736f0115a57b020aba083f8af3c22dd5d990ce090c2899010129
Size

10.9MB
Sample

250201-gtg8kasndy
MD5

5faa7e3673ea3cc69043dcb5a046f2f8
SHA1

6d00d2034b2354c3ee66eb8c254f71dce4bfd50b
SHA256

871f18d099c9736f0115a57b020aba083f8af3c22dd5d990ce090c2899010129
SHA512

cc04d033a18749f965f0f0d947db6f12501aff6fc87faedf7bd0ae813cbc00e9b6fc068125b6bd0283d1d36fd027cde1aefa885dfa6ab26856446c05aee6292a
SSDEEP

196608:3DUmu8YPX72OTTASl6yp0udnMetkVUg+XSPaYtWBBANkgckGYjTP7lfVkJPLB1Q:3gmup2sAm6y+sDtKUg2SyYtWBBlVfGTP

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

1aNEW

C2

5.45.76.64:1463

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
dasdasdas0saVosR0s01-XF6C0E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Phoenix Bios Editor/Phoenix Bios Editor.exe
- Size
  
  3.0MB
- MD5
  
  724e28bfe09dfaf69bd9df89bee3770d
- SHA1
  
  a2450d169a800d74199e42fac815ec0311d893c0
- SHA256
  
  fa882edca2a7f0e561e4b8ee3cd8260a39a09d598fe0f197ad59038df45adb9f
- SHA512
  
  33d7bcd590bcd66c6b56ce6963330f59adeba7f85d063388209ac3ae8e75f3285eaa20fa09221c630307d72ab0be40b93b629e88b78de557b38c4904f261c35b
- SSDEEP
  
  49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338w:t92bz2Eb6pd7B6bAGx7n333j
Score

10^/10

remcos 1anew discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2