remcos | 5bf4229985bd8de768c69b78eb377504f189c8123ead5d6ce798ebb92a401427 | Triage

Submit
Reports

Overview

overview

Static

static

5

Order.exe

windows10-2004-x64

Sharing

General

Target

5.gz
Size

784KB
Sample

250407-rljfrs1zh1
MD5

62fd39cb1eca5932a22fcda70962c61e
SHA1

1105b69e7d286838877eed83e878d3a6044ee7c6
SHA256

5bf4229985bd8de768c69b78eb377504f189c8123ead5d6ce798ebb92a401427
SHA512

506839e4f121896d0b29dfe740aadfb2e6c72e666cbe720feb0bbbca8082f680e8d3fd689114552d4ca773046a3c66ed7cedfbc0452a8a24679bff7284e02931
SSDEEP

12288:JWLSucdh4742a77tfgCvfuXr/UF+GU2BrWUg/LPuIXXP2yNvmz1CvOv07eH:XS4gcubO+0lBRcuJz1CGciH

Score

10^/10

remcos remotehost discovery rat upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Order.exe

Resource

win10v2004-20250314-en

remcos remotehost discovery rat upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

196.251.86.41:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-83VOGC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Order.exe
- Size
  
  809KB
- MD5
  
  8849e2039f215fdc3d18270bff047810
- SHA1
  
  b5276ad1f216f5de3d2edccfa598a0eaf676821f
- SHA256
  
  ad39a998b7f7b0889d74b2377b4ef09cb4827b314052e6280f2925bdc06ae248
- SHA512
  
  4779f5586c928f606185418f1320a8255598a122018230e547053afea09971d6aee80273c75e0ba26facea459a315ee53325104f5cf689067f04135aad4d7638
- SSDEEP
  
  24576:url6kD68JmlotQf4uvwKMXeDyEpyrX5WIYz8g3Q:Ml328U2yfxvwdgSrpkz3
Score

10^/10

remcos remotehost discovery rat upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Drops startup file
- Executes dropped EXE
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryratupx

© 2018-2025

Terms | Privacy