Overview

overview

10

Static

static

remcos.bin.exe

windows7_x64

10

remcos.bin.exe

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    remcos.bin

  • Size

    360KB

  • Sample

    200218-5x47c6z2s2

  • MD5

    c8cd8226c29bbaed1b40691f25793833

  • SHA1

    e6e802589ce0589bb1a7b17f93661dcffb67598d

  • SHA256

    d783cab5c5ae5cada441b48ab938855e5fb5a0f696f31f86d68479041cc991cf

  • SHA512

    3de43aae6c5fb9bc8e900ed73f3c26ccc5fbe32ed283cfb6cfc30af4e2d2fb3402723d1298f5a82d4c6cbc50b8da59b602ddb702b45a23ccef2db1f34950e758

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

185.140.53.153:2404

Targets

    • Target

      remcos.bin

    • Size

      360KB

    • MD5

      c8cd8226c29bbaed1b40691f25793833

    • SHA1

      e6e802589ce0589bb1a7b17f93661dcffb67598d

    • SHA256

      d783cab5c5ae5cada441b48ab938855e5fb5a0f696f31f86d68479041cc991cf

    • SHA512

      3de43aae6c5fb9bc8e900ed73f3c26ccc5fbe32ed283cfb6cfc30af4e2d2fb3402723d1298f5a82d4c6cbc50b8da59b602ddb702b45a23ccef2db1f34950e758

    Score
    10/10
    ratremcospersistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Program crash

    • Adds Run entry to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks