remcos | 51c6e64d343dec3fd10360bb96191149e760b186e3523fe59ca15cae8815dd28 | Triage

Sharing

General

Target

17022025_1724_17022025__DOCUMENT_MAIL_MK77123.PDF.gz
Size

2KB
Sample

250217-v8ggga1kcm
MD5

36c7cc5782cd13e7833d6b8113d09505
SHA1

080604f0baed6540c9104f5a7793b59964d34f7b
SHA256

51c6e64d343dec3fd10360bb96191149e760b186e3523fe59ca15cae8815dd28
SHA512

8cf0fcfdbb7cb1b383503f28f56b71895803b8139335c968520c806bbcd3feac1829629cf67c3c49287ae0f74ca2853e96b6bdf2c34f106d38eb183b7564a3ad

Score

10^/10

remcos nom discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d

exe.dropper

https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d

Extracted

Family

remcos

Botnet

nom

C2

meme.linkpc.net:3174

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
ios
mouse_option
false
mutex
gig-G7MMFK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
sos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  _DOCUMENT_MAIL_MK77123.PDF.js
- Size
  
  84KB
- MD5
  
  27cb47b5e1ac316a34e346dc787782f6
- SHA1
  
  70d3f484ab6ca95c0d03479894181a4fbb883583
- SHA256
  
  abc914c82dac8f803df0ae50a350c38cd7af60344f60936a6df01198efbb03f6
- SHA512
  
  1ecf1ed09e1df85fa7596d0ca169885d2f19a43d98c8309ad2d9a039c5c8489932410ed8af47d1dbfbeb421b97b6515afd722c7785eac6249f37e0f88c3f6b8f
- SSDEEP
  
  384:HZB5abMZB5abtZB5abdZB5abvZB5abtZB5abdZB5abhZB5abtZB5abdZB5abTZBH:4
Score

10^/10

execution remcos nom discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosnomdiscoveryexecutionrat