remcos | 46d11795c1b4ad223369170c61007f771f75326a16d32d1f94338022318e5f15 | Triage

Sharing

General

Target

script.ps1
Size

6KB
Sample

250402-t9367asrt8
MD5

109e1f0f40613d5fcbf93e5df4da5c5d
SHA1

da66f0ad18ea055f5bd106ba91dbb0f56f45f1f9
SHA256

46d11795c1b4ad223369170c61007f771f75326a16d32d1f94338022318e5f15
SHA512

5bc2fc543ec8a09d43ccbed1af39b57e3136dab6934630afb51f281bcd9bb130c81c4e64fed5ae3dcd870f9813215672a397c44eeeb69ed5c28ae26f9954d1e1
SSDEEP

192:gfG9kDTU0RRW5zbexk0xY5YZ14ucS8QWHBMwsvnwRq:l9eBRR6Xan5Z1taQ6a9nwRq

Score

10^/10

remcos fresh2 discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Fresh2

C2

sphayer66jugaru1.duckdns.org:1961

sphayer66jugaru1.duckdns.org:1962

sphayer66jugaru2.duckdns.org:1961

sphayer66jugaru3.duckdns.org:1961

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
lamourtesy.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
juynvfpoils-YFZCIY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  script.ps1
- Size
  
  6KB
- MD5
  
  109e1f0f40613d5fcbf93e5df4da5c5d
- SHA1
  
  da66f0ad18ea055f5bd106ba91dbb0f56f45f1f9
- SHA256
  
  46d11795c1b4ad223369170c61007f771f75326a16d32d1f94338022318e5f15
- SHA512
  
  5bc2fc543ec8a09d43ccbed1af39b57e3136dab6934630afb51f281bcd9bb130c81c4e64fed5ae3dcd870f9813215672a397c44eeeb69ed5c28ae26f9954d1e1
- SSDEEP
  
  192:gfG9kDTU0RRW5zbexk0xY5YZ14ucS8QWHBMwsvnwRq:l9eBRR6Xan5Z1taQ6a9nwRq
Score

10^/10

remcos fresh2 discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosfresh2discoveryexecutionpersistencerat