remcos

Sharing

Copy URL

Twitter E-mail

General

Target

TaxOrganizer24.zip
Size

5.9MB
Sample

250206-lzscyatkgj
MD5

81c362ea018f73aabf713791db7e734c
SHA1

0869b217f896fa70d64d8279b1a5796e80db2ae9
SHA256

c1411695a46008567ed81c474298a6cade2e743d50019acb46407ed66cb11b0e
SHA512

24ae50861b8f3b1d89bc94c98a1a53225656c1e85b22e14f1a8b9932a141a5e6d5e15af43eb326b7c17e4e02987f59f56022a326486ab862fa034b531b2192d1
SSDEEP

98304:tb4xcxSmyr32LKxqtjv0j7TctNVCkkvHY+9BlWUQQzS/c30E+WSNfRlXOt7U5E9U:tbacxryroKgtjvAPctNbSHY+9rWUQQzS

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

bangerr.duckdns.org:1012

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Z95DP4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  TaxOrganizer24.exe
- Size
  
  1.8MB
- MD5
  
  0d5c5d1e67e2005c868b2240746a5d1b
- SHA1
  
  6befe34c622a2935bee6efe97e0bc92ceabd1afe
- SHA256
  
  6a71daa9db62b37a175a620b7051c9cfda83baa817cf2ce47895e9d3b0d70788
- SHA512
  
  e08765509cf36404244756e27ffc2d632433b03374c44d918184c5f9500f1b58322fb4984e4e9e084ff4c0cfbd8bfa38390966c33e4efc6083f00e500247cdef
- SSDEEP
  
  49152:L2X7UMQYR9B5Mi5W5xCsfZUIVmT4VTd1lc:L+oMNsr9Jxi
Score

10^/10

remcos remotehost discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  libcrypto-1_1-x64.dll
- Size
  
  2.6MB
- MD5
  
  b595f25fe4d5f2e67f571b765b54c8ce
- SHA1
  
  0332cb13db9d48b853e443f8847d6c5012662b56
- SHA256
  
  d55dfc9ae0ad2470804f39b7e6a089785837f1e51092ba1b96cec9b9296f6a70
- SHA512
  
  e85176f051b437097cc5b8f30db192fd21cb9fd833c520192286c98c9ab2d235bab4dd1526d49d301ec4f275c214871beee5bf8d364e2b5bd5ad7f59a7db9f5f
- SSDEEP
  
  49152:MVwAsO4zQ4jLscYK+MY7QFgWMkWCrAIU6i8CR8JI2h4cGgCnXPGtlq5KN/DdFiSA:/QFVQFgWMk/r+8CaI2hebfY/DdFVMcX0
Score

1^/10
behavioral3 behavioral4
- Target
  
  libcurl-4.dll
- Size
  
  593KB
- MD5
  
  dde208ca0ed409198152784008eb0437
- SHA1
  
  297b46a90029e640a022ce27d67567d20246fb70
- SHA256
  
  04768039953c9784c31a16e4cf8729d7cd3c6899fe9e01928674512ebf245b31
- SHA512
  
  6ad3c7826f7c727722ddebbbf959073da5ad5cc61eaaa7a0c13be176d6c97cda1c15e6b5e415ea6ed172419565e7941186e47df0936f0ce5aad1efa367fb348b
- SSDEEP
  
  12288:Q9mrsTY1pIL9fpkEtGTJtNLFtimZgXsDEn34Tgl1EG:Q9mHg9fiEKJXLFUmpQn3Ag1EG
Score

1^/10
behavioral5 behavioral6
- Target
  
  libiconv-2.dll
- Size
  
  2.4MB
- MD5
  
  02aaf0ef4140a80669e21c35547e0520
- SHA1
  
  8949f73b8ef36037f80a6b54d1f0280ac87647fb
- SHA256
  
  adacf7b709443ec0e4f479c33a6d9101f55d342e1b517c048f5440cd0862b76f
- SHA512
  
  1f5baeb5651632831836e02a28a2cfcc281f59943b89cf115bdf4fd98daf2752e238de6623e3336611d36d64b15bef1225a1921d17bd94678bc9895bfaa7b6a7
- SSDEEP
  
  49152:8ymzJaUsHOsxGYPJ1xNIsCFOXGCaDiO6eadE1MRvk/ATlEHS9:+Ybxqw+H
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  libintl-8.dll
- Size
  
  132KB
- MD5
  
  9c40bf1e7ac4534fc6673fad62859f55
- SHA1
  
  8ad1df8d89fe88d9d7b0e97ee34b748778e89870
- SHA256
  
  6625b662ade69bd824f2da4d17c1851dc62ddaa3e45d95a6e5a10f6c22743c8b
- SHA512
  
  3a378feeea447471549f4040eff4d1c19e6c76c87e2ef8743d942c2c3dc77f58ac6e3af77e0e7ae95de1ab03fd901c2d3e126ba9427c3842cfec5d71e60162af
- SSDEEP
  
  3072:sERGJBKcjJMf3fQaa3DAGl0fF3oF/5e/SZUm:3RBcjJMf3YaO+4FBeQUm
Score

1^/10
behavioral10 behavioral9
- Target
  
  libpcre2-8-0.dll
- Size
  
  570KB
- MD5
  
  36acf2f31e5a520506ea69b9250f7f76
- SHA1
  
  be61a4dfbd87e6d5bc62695e1a407f2b1cf9a483
- SHA256
  
  4b7c3af719c65ce4f58abbb168cacb97d7a62935cbb711744b69dd3b058d5079
- SHA512
  
  9f8e85fb4715e03f1509689e15d9bd1e73ddb95a5b4dddc818d962375092915921df6ef665ba77a0c743a1c68fcfe2ebb9b0d91f2de2031a4cca7a610229dcac
- SSDEEP
  
  6144:D41KXET4DDeyM78l+duFg9dfjB8pyU4Ot8ZzpQGeFg6KUqrx6qbu6FUF8:E1KXpwMedflQGeOGqJbu6FUF8
Score

1^/10
behavioral11 behavioral12
- Target
  
  libssp-0.dll
- Size
  
  20KB
- MD5
  
  c45f9ae533fda952635f4b787f52e3bb
- SHA1
  
  f4bd4a7a4970f4b5e0cf811141733a639f29ffd7
- SHA256
  
  4710136efe21be065753502f62db524324dbb68a16ce087532679548041109de
- SHA512
  
  4042cb44bc103207de74364e34747e5772bace387e83a3dc1c4c43a89462b7ee4fd910542f053f202809893bb4b0a6ef404ec32edd483fa9c45c6e67048f7216
- SSDEEP
  
  384:wK/9WOvcve4ldCd985aWdJZgo2/k+rS/HH:z9WOkvdCIN+/
Score

1^/10
behavioral13 behavioral14
- Target
  
  msvcp144.dll
- Size
  
  3.8MB
- MD5
  
  861908c05742756c7cd6ee22daec451b
- SHA1
  
  1686abfda1ea36ef9ea508d4516dfef1734a83ff
- SHA256
  
  128f96765d8b0f94922fcc7b79cce90cfde66f7aa835aaa6745d2ccb96471b42
- SHA512
  
  638252daf3fa5fc1eef85f9f3e30c8aec226ef8c593a00992f1bc3c4d3ffc961a1b119aed012317359af3ef9a883408fc429806225d313eced10219540882a33
- SSDEEP
  
  49152:Xo4jX82pc5kYFtjNgRBQEf7DwbyKslgFF6Z7Ye6+Kr:ZQ6yqws6Xr
Score

4^/10
behavioral15 behavioral16
- Target
  
  vcruntime211.dll
- Size
  
  482KB
- MD5
  
  92586a8b261f5b2f1152d4ffc049967b
- SHA1
  
  d44d7628aa5a676c953d4d40d576c95918b8d560
- SHA256
  
  9af8c5a7534c9f919f942703e68e28841ff9da56f35674138afe49b169ef2767
- SHA512
  
  01f9a7cf8eb00e251c6b6a50626788a9233e18b4f3b77fd5428b91ebb3eb42aed808ddb04714b8a74bd492c568cc84150ac014903176e30aa5895fccb6bc2eeb
- SSDEEP
  
  12288:YnfyzBDukj9foAQZSpqTJTeH4/yRWW0Sokc:UyNDr9fHqTJT44BWk
Score

1^/10
behavioral17 behavioral18
- Target
  
  zlib1.dll
- Size
  
  91KB
- MD5
  
  8715690438860eaecc98cdd95aa80ab8
- SHA1
  
  92cf890392febc1c53a7417870cbc9ac373c7405
- SHA256
  
  42566cadd56feb726be5544bf5552aa8d4009b415906a2e7ae7945212b16cfb8
- SHA512
  
  989ce0028c0002842f1e7671076fa5ce6a1bdb7b364d008c04cbba5cfe1abbaab20051e284cfc351e46c85d2816e9b1b214ad2bf642839a6df84de1c7c544249
- SSDEEP
  
  1536:5/EC1lUVwGnWFS2C1LlImUILLjPeCU1WxfBp1nToIfGIOMIOtrP9jCCGFI:5/EC1Kmzsr1LlHUaHPeSflTBfkCtrPNT
Score

1^/10
behavioral19 behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

Remcos

Remcos family

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20