remcos | 357a5929cd1b2559b2a50320b4ef80b4f0b004d2aaa40b139888b848fe1cc0f8 | Triage

Sharing

General

Target

DarkCrypter2.1a.exe
Size

4.4MB
Sample

250201-j81pkavmhw
MD5

9d4c4dccaf0b326d53d28486caba0695
SHA1

dab4f18ce630e70ddeb13cc15e6ce49a612c9659
SHA256

357a5929cd1b2559b2a50320b4ef80b4f0b004d2aaa40b139888b848fe1cc0f8
SHA512

f639c4e3f58b08ea33a0576da409a6a3c7d30d525ff7a9e23da4fe55890f860baa08b434eccc2332628ab8989ecaf0e995767df433b10340d1f053032371f458
SSDEEP

98304:CQBZnWAWcWbFbIpvObbzkn/wYOjhGcwkn39d9Iq1sqZ26m/zItUxsbb:xWJcYbcObbzk/wYA8md1sqZ26mstUxs

Score

10^/10

remcos rmnoncrypt discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RmNONcrypt

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
19
connect_interval
12
copy_file
redistkb_102241.exe
copy_folder
.monosvc
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
dmpmini.dat
keylog_flag
false
keylog_folder
.monosvc
keylog_path
%AppData%
mouse_option
false
mutex
h9KMA-TKWTGJ
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
fstlock
screenshot_path
%AppData%
screenshot_time
10
startup_value
Battery status
take_screenshot_option
true
take_screenshot_time
6
take_screenshot_title
Account;Payment;PayPal;License;Activation;Client;Banking

Targets

- Target
  
  DarkCrypter2.1a.exe
- Size
  
  4.4MB
- MD5
  
  9d4c4dccaf0b326d53d28486caba0695
- SHA1
  
  dab4f18ce630e70ddeb13cc15e6ce49a612c9659
- SHA256
  
  357a5929cd1b2559b2a50320b4ef80b4f0b004d2aaa40b139888b848fe1cc0f8
- SHA512
  
  f639c4e3f58b08ea33a0576da409a6a3c7d30d525ff7a9e23da4fe55890f860baa08b434eccc2332628ab8989ecaf0e995767df433b10340d1f053032371f458
- SSDEEP
  
  98304:CQBZnWAWcWbFbIpvObbzkn/wYOjhGcwkn39d9Iq1sqZ26m/zItUxsbb:xWJcYbcObbzk/wYA8md1sqZ26mstUxs
Score

10^/10

remcos rmnoncrypt discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Program crash
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosrmnoncryptdiscoverypersistencerat

behavioral2

remcosrmnoncryptdiscoverypersistencerat