remcos

General

Target

ad7944585459312eceb71221e89b7018.exe
Size

1.3MB
Sample

250209-erh1zavmbz
MD5

ad7944585459312eceb71221e89b7018
SHA1

74a633aeb8b7214cd035a9a767d6b8e7796e6886
SHA256

a3ab1ca451d4b020eea6ba2d62e987412bd3b09a4993ea803c8105e932274177
SHA512

f30d3446a95e7d7b927b27efd70f3be9f28177e0cabaa634d2cf440937578b8752152bad62b9876234fee964f2a9ed1cc76ca75153cf754a8156f49d53beed9e
SSDEEP

24576:/orvz2P1S4CcWArIu/YmM3LmTwoSXo9OvOJ2Vioy:ke5taMM3Lxoh9OAKioy

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Send

C2

kavemarb99juyet1.duckdns.org:4688

kavemarb99juyet1.duckdns.org:4689

kavemarb99juyet2.duckdns.org:4688

kavemarb99juyet3.duckdns.org:4688

kavemarb99juyet4.duckdns.org:4688

kavemarb99juyet5.duckdns.org:4688

kavemarb99juyet6.duckdns.org:4688

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
osokwu.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
alepoty.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
kijmnbytgs-Y92N9U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  ad7944585459312eceb71221e89b7018.exe
- Size
  
  1.3MB
- MD5
  
  ad7944585459312eceb71221e89b7018
- SHA1
  
  74a633aeb8b7214cd035a9a767d6b8e7796e6886
- SHA256
  
  a3ab1ca451d4b020eea6ba2d62e987412bd3b09a4993ea803c8105e932274177
- SHA512
  
  f30d3446a95e7d7b927b27efd70f3be9f28177e0cabaa634d2cf440937578b8752152bad62b9876234fee964f2a9ed1cc76ca75153cf754a8156f49d53beed9e
- SSDEEP
  
  24576:/orvz2P1S4CcWArIu/YmM3LmTwoSXo9OvOJ2Vioy:ke5taMM3Lxoh9OAKioy
Score

10^/10

discovery execution remcos send persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Downloads MZ/PE file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  ec62e1a8d16d8f1b0eb792aa26e5de5c
- SHA1
  
  faa219618aec99cffb81c312728dc56c1fdc5798
- SHA256
  
  193d396fc7be5fed9d585de3c43e23d640c1dce725499f0274b3898c248545aa
- SHA512
  
  cb3f3458cf734ab7b964ed25cac87ff2938292eed9caae1305b2e5975bde885f4d8b06d05d4099ef614982cd55d97e9ddc0f13bbe2cdd9fb642d008788ed3017
- SSDEEP
  
  96:O7fhZwXd8KgEbAa9PweF1WxD8ZLMJGgmkNp38:/N8KgWAuLWxD8ZAGgmkN
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4
- Target
  
  Norby.Drs
- Size
  
  52KB
- MD5
  
  237cdf672782754d57c42a5b82371b98
- SHA1
  
  6fe41a22c98e07b85ceb25b0870c539fe969197d
- SHA256
  
  26c1ca3a25a867de4b6c580a67c25f0b772a8d0d1ee9bb87facf3daa741cac57
- SHA512
  
  c97e1a229e3280c591b0bc76ea6850e8c5ee90420eea1d09a9a5f1effd264d06c8ce4aae166d43de00f1fc68422f277809cd899e33fee505d9be116efa8a0ce9
- SSDEEP
  
  1536:80FHbCINgp4KZE6oMXF7BaHqljyJuamYN:HHbClpBZagu3N
Score

8^/10

execution discovery persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6