remcos

Resubmissions

05-02-2025 18:49

250205-xgj5ds1jen 6

05-02-2025 09:29

05-02-2025 07:57

04-02-2025 16:25

04-02-2025 16:16

22-01-2025 11:24

Sharing

Copy URL

Twitter E-mail

General

Target

2025-01-22_21d52d07f0f04e0934011978a85e6a15_avoslocker_luca-stealer
Size

3.3MB
Sample

250204-tq96dstkcn
MD5

21d52d07f0f04e0934011978a85e6a15
SHA1

07647f0eddf46d19e0864624b22236b2cdf561a1
SHA256

35612c79bde985c957ba521bbc7aa8541c31fb235ca7a91d0ee225f988921eb4
SHA512

0338a651fbbbd327dc4fa97f72106db9dafced3226823b2149ec2567745c492c051b9a6a2210ccc0ffc5345a6dad9f3764aeed5cd77562ab6202dd977c59480a
SSDEEP

98304:8KsW1+M5NCnvjZEb9B7Z9B7Gy5p6v8u9B7:81yy2j7Zj7j5p6Rj7

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

fuck

republicadominica2025.ip-ddns.com:30202

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rostad
mouse_option
false
mutex
iwebfiewbfihbewlfkm-WH4782
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  2025-01-22_21d52d07f0f04e0934011978a85e6a15_avoslocker_luca-stealer
- Size
  
  3.3MB
- MD5
  
  21d52d07f0f04e0934011978a85e6a15
- SHA1
  
  07647f0eddf46d19e0864624b22236b2cdf561a1
- SHA256
  
  35612c79bde985c957ba521bbc7aa8541c31fb235ca7a91d0ee225f988921eb4
- SHA512
  
  0338a651fbbbd327dc4fa97f72106db9dafced3226823b2149ec2567745c492c051b9a6a2210ccc0ffc5345a6dad9f3764aeed5cd77562ab6202dd977c59480a
- SSDEEP
  
  98304:8KsW1+M5NCnvjZEb9B7Z9B7Gy5p6v8u9B7:81yy2j7Zj7j5p6Rj7
Score

10^/10

discovery persistence remcos fuck rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Downloads MZ/PE file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Downloads MZ/PE file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4