remcos | c9077e1e771d75dff78d9041f97b8ec5d716eaffeb65d79f1669a19d78013ee1 | Triage

Sharing

General

Target

BNPParibas,pdf.7z
Size

18KB
Sample

250407-qbwsnszxbw
MD5

060fcfd4b50ae94d47f9567e6e675f02
SHA1

30ae99131675596219e25ba8c9befa7f06eac5ca
SHA256

c9077e1e771d75dff78d9041f97b8ec5d716eaffeb65d79f1669a19d78013ee1
SHA512

176732264cf5ea0af7d97ad2ccf01f349e7bf720bbe87da53b394699370ab01fa856a27819323adb5ffc90b3eceec5adbd099e9e5c0b91f2d0c513ffed906a40
SSDEEP

384:nGCrMFh2aiWi4Vc5KlicU8VXmJLFbCzkVuwrDC4AyJTWAsRSC2n7G2m8qgg:n1rMeFZ4Vc+tVOFGYVPrxVWFSx7G2m/V

Score

10^/10

remcos megida discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

megida

C2

latestrem.duckdns.org:52190

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I12ONC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  BNPParibas,pdf.vbs
- Size
  
  32KB
- MD5
  
  dfc5b784b17dff57cbad43dbf6fb582d
- SHA1
  
  addde7ad819450c10a67e39d8f49518821f6c296
- SHA256
  
  bb453ff3ce310b04ecfe93ff0f3ad8edf939c81a0c94a30842e9404804a3fd64
- SHA512
  
  81d57427dfc0b8703cb394e5444ec1dfa531f4a02e829c79f1dc623538a2ee0b57daa5b83ba66b9445b27736945f6ea6ca9c9620a0747783adac9719e0c9f49a
- SSDEEP
  
  768:qeifDS82ZBNPMng2vSJiqB1uTmTFGLvM1o5nU4Yhtt:MfDiDNkzSJpracAM1GU4Yhtt
Score

10^/10

remcos megida discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosmegidadiscoveryexecutionpersistencerat