remcos | 5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d | Triage

Sharing

General

Target

PURCHASE ORDER - PI.js
Size

1KB
Sample

250407-mv6kfazjw5
MD5

8e13d536db884141396b72340b97860a
SHA1

33fb84a1518915b113aaec9506122d76f80b6108
SHA256

5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d
SHA512

ca5398341b7ab4d7e61e391447bc3f07a377e57839093734e4342721e5749ed5ff3b3923bf5042d350e25371b11870b17da123b2905fd36dc8c681227758a7b0

Score

10^/10

remcos new discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

NEW

C2

roonye.ydns.eu:24680

tamar.ydns.eu:24680

shukurov.ydns.eu:24680

rasuljon.ydns.eu:24680

tevzadze.ydns.eu:24680

dodon.ydns.eu:24680

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmcaaewrrds,d,e-L6NPOE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  PURCHASE ORDER - PI.js
- Size
  
  1KB
- MD5
  
  8e13d536db884141396b72340b97860a
- SHA1
  
  33fb84a1518915b113aaec9506122d76f80b6108
- SHA256
  
  5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d
- SHA512
  
  ca5398341b7ab4d7e61e391447bc3f07a377e57839093734e4342721e5749ed5ff3b3923bf5042d350e25371b11870b17da123b2905fd36dc8c681227758a7b0
Score

10^/10

remcos new discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosnewdiscoveryexecutionrat