remcos | f980c5e3f52ee0335be8e27bad38769a503d9989ce1965c5f54074fdb7252833 | Triage

Sharing

General

Target

f980c5e3f52ee0335be8e27bad38769a503d9989ce1965c5f54074fdb7252833
Size

1.1MB
Sample

250328-zd8ppa1vex
MD5

2b69aaed53d8a002a8ab6d336f795a32
SHA1

60fdbf4710f0f449423a84f7362a8719639e0273
SHA256

f980c5e3f52ee0335be8e27bad38769a503d9989ce1965c5f54074fdb7252833
SHA512

30cc0acd55d0e717e93de0f052aa46351eb2cfdf226c9c448862fcc63889ea988b465a50b68cdb448565945c4a31ff150a60d5afb911d89c423711f262b0217d
SSDEEP

24576:eaTgKwZ14X27uUL3VM0kd+rkhfMsjgkAj2JE06J5N0Fm:LTgdZOcuUL3xAx/8b2S7Z0g

Score

10^/10

remcos chinemerem discovery rat

Malware Config

Extracted

Family

remcos

Version

2.2.2 Pro

Botnet

chinemerem

C2

remcoss.onmypc.org:3765

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
r-8ET8H0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  f980c5e3f52ee0335be8e27bad38769a503d9989ce1965c5f54074fdb7252833
- Size
  
  1.1MB
- MD5
  
  2b69aaed53d8a002a8ab6d336f795a32
- SHA1
  
  60fdbf4710f0f449423a84f7362a8719639e0273
- SHA256
  
  f980c5e3f52ee0335be8e27bad38769a503d9989ce1965c5f54074fdb7252833
- SHA512
  
  30cc0acd55d0e717e93de0f052aa46351eb2cfdf226c9c448862fcc63889ea988b465a50b68cdb448565945c4a31ff150a60d5afb911d89c423711f262b0217d
- SSDEEP
  
  24576:eaTgKwZ14X27uUL3VM0kd+rkhfMsjgkAj2JE06J5N0Fm:LTgdZOcuUL3xAx/8b2S7Z0g
Score

10^/10

remcos chinemerem discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoschinemeremdiscoveryrat

behavioral2

remcoschinemeremdiscoveryrat