remcos

Sharing

Copy URL

Twitter E-mail

General

Target

3ccef307ca32975ddbf1b50130830cf8d077a796c61af77e77855f2f4766cac4
Size

5.0MB
Sample

250209-lrcmhssqbv
MD5

054cc5424f3c2b1efa07fc79acc97fad
SHA1

3f8c7e402731d034ae442417418159cdc09e9e8e
SHA256

3ccef307ca32975ddbf1b50130830cf8d077a796c61af77e77855f2f4766cac4
SHA512

057158038e4abb2ad85f52757ed4f68eb99aae285731cc0aa28fbcf81bbac2bede753603cc6c611108159ee3e9a0e4708cdef5c39f1ed714aea938b679b6995a
SSDEEP

98304:zKa0IHzbSPQ+D/PqXt7bnS6u5qfrFOWxj41BStcB99Fxp482iUxJPLCcN1f:2WTbSPQ+jytS6uwzFzj41McBBxpkJPLr

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

1NEW

5.45.67.76:1212

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
NoTuchengmYzfiFifFile-JPS74W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  S3TurboTool_v1.53/S3TurboTool.exe
- Size
  
  3.0MB
- MD5
  
  722991dd18056a29c79c04868a03d81d
- SHA1
  
  320a236cca872b66bda713a1c6e8690f95bbb09b
- SHA256
  
  f57d195a651270f06b6ba5c21466401c0c3d035e21d7d217ab9268ea45d9f19b
- SHA512
  
  adcf0a8ec44e1558e3d6067126350c1efe947400f311405c84f37b6d7de83738a42ddf59c1f8178f68d9c45269bb2f95dd638037643a5521206b91e6fb2ec0eb
- SSDEEP
  
  49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338n:t92bz2Eb6pd7B6bAGx7n333k
Score

10^/10

remcos 1new discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  S3TurboTool_v1.53/fptw64.exe
- Size
  
  1.3MB
- MD5
  
  7ca20261da7995b382c11a15b2171553
- SHA1
  
  084645fe85afe0c1e70c98a381215b975c296d46
- SHA256
  
  b7e942e903f5f6bba84c3e9294edc8cc097c1173ca249a41a4cca1ab9e15a697
- SHA512
  
  9c6ef41b89e6c4bfc3d2086f8b7d15f74328882c79c6efad465bcb225e281ba0165fc06146698e407f4be81901863ba9cbe3df8adbe3bc1570b95d6af985efb2
- SSDEEP
  
  6144:Y/tEXCT7jCEXEtfghBqXbfBaZ2q3OpzTDlxu6DWeKK6BwUL0dwi4zfJzA/c4i5Oz:UFnW94+BDWRwUOAfJzAbCWB
Score

1^/10
behavioral3 behavioral4
- Target
  
  S3TurboTool_v1.53/idrvdll32e.DLL
- Size
  
  60KB
- MD5
  
  daf7e1330087bf1093bd307a4bffd36f
- SHA1
  
  0ac170fff553339e9b1779e70e7eb05a43eced07
- SHA256
  
  65a34921ede066338d9717ddfa134b54294bb81509d40061d2f4bc441fc392c5
- SHA512
  
  d7cfd50158a4e92005424dc5c4deba78d78e3bd4cc92a4b985445fff5e75e05a5b3400ebe786a509f5b37ff5138a1dd9cc2e606148a0a6c99ac5dd70e916c501
- SSDEEP
  
  1536:E99+ctgZLtKBXfiyxhtLBRGW/arsCh24:a9vtrB6orvB/arsCh24
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral5 behavioral6
- Target
  
  S3TurboTool_v1.53/pmxdll32e.DLL
- Size
  
  111KB
- MD5
  
  1891b27af49e866e290a0441c7dc00e9
- SHA1
  
  dc009ce0a6ba77f19790c0b667fa4db5d742eda4
- SHA256
  
  1882c65036142fee6b89042e2b7bf383aaa8e151b65942f5b74c03ab5cc4e5f9
- SHA512
  
  80db43def83c270b0a61195f1f526339bff27b0d6474728de19e34c8631e44ceee4620569ea869ea7627d0d7174ae3e9a91c7b6e725a5d36a0ffc18515f51f30
- SSDEEP
  
  1536:aBv5WVyTPAj0W2Zg1iBfuc1sgRTbHDQCu7ho0Eoqenw:aBIoDA8BWaswfHDQCu7hFel
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Remcos family

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Downloads MZ/PE file

Downloads MZ/PE file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8