remcos | c9fab624be92feff5e6666dc84c8b1a1fa23d4535f0960806defa8b30817e133 | Triage

Sharing

General

Target

c9fab624be92feff5e6666dc84c8b1a1fa23d4535f0960806defa8b30817e133
Size

140KB
Sample

250328-yxdszssmx8
MD5

34842ed9c54bd4205d1aa40ebc118310
SHA1

4cf7b739e561beb0f661fccd25ccc2c28a988410
SHA256

c9fab624be92feff5e6666dc84c8b1a1fa23d4535f0960806defa8b30817e133
SHA512

8baafb898697206325f1ae05bda968b2566cfce4366cba51831e55a2f01465bf26aa710e7d4242794e3a52e3e86b47389c78a3e0473086a0571f6323f4896b31
SSDEEP

3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXhIHVSdC:xP6/M+WLckOBhVmIYmC

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  c9fab624be92feff5e6666dc84c8b1a1fa23d4535f0960806defa8b30817e133
- Size
  
  140KB
- MD5
  
  34842ed9c54bd4205d1aa40ebc118310
- SHA1
  
  4cf7b739e561beb0f661fccd25ccc2c28a988410
- SHA256
  
  c9fab624be92feff5e6666dc84c8b1a1fa23d4535f0960806defa8b30817e133
- SHA512
  
  8baafb898697206325f1ae05bda968b2566cfce4366cba51831e55a2f01465bf26aa710e7d4242794e3a52e3e86b47389c78a3e0473086a0571f6323f4896b31
- SSDEEP
  
  3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXhIHVSdC:xP6/M+WLckOBhVmIYmC
Score

10^/10

remcos host discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoshostdiscoverypersistencerat

behavioral2

remcoshostdiscoverypersistencerat