General
-
Target
2025-03-30_e3aecc3188eac24edb8e34f5044b3a6a_black-basta_luca-stealer_remcos
-
Size
469KB
-
Sample
250330-mqtp3syrx4
-
MD5
e3aecc3188eac24edb8e34f5044b3a6a
-
SHA1
2fcaddc53adb86b3d456c05468c097aa5feac492
-
SHA256
782895a1a1f924fd2a8271667f7749723bbc02a2db458e56bd270f2ee122b88d
-
SHA512
a4f6aa1db2cdea18d344624ea22186bb544f89e664fa2b71388ab57acadc1e27794552cf3814f2293623cdfffcf7e07eec7b5e7593fba1bf658839c4d62fcb06
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSSn9:uiLJbpI7I2WhQqZ7S9
Behavioral task
behavioral1
Sample
2025-03-30_e3aecc3188eac24edb8e34f5044b3a6a_black-basta_luca-stealer_remcos.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-30_e3aecc3188eac24edb8e34f5044b3a6a_black-basta_luca-stealer_remcos.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
remcos
RemoteHost
160.30.192.52:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ALXCRX
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
true
-
take_screenshot_time
5
Targets
-
-
Target
2025-03-30_e3aecc3188eac24edb8e34f5044b3a6a_black-basta_luca-stealer_remcos
-
Size
469KB
-
MD5
e3aecc3188eac24edb8e34f5044b3a6a
-
SHA1
2fcaddc53adb86b3d456c05468c097aa5feac492
-
SHA256
782895a1a1f924fd2a8271667f7749723bbc02a2db458e56bd270f2ee122b88d
-
SHA512
a4f6aa1db2cdea18d344624ea22186bb544f89e664fa2b71388ab57acadc1e27794552cf3814f2293623cdfffcf7e07eec7b5e7593fba1bf658839c4d62fcb06
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSSn9:uiLJbpI7I2WhQqZ7S9
-
Remcos family
-
UAC bypass
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4