remcos | bcfa3ad9b1ba0c2d1352d94f8ff180da7456d7ba29d4570e809b083a5cb80c10 | Triage

Submit
Reports

Overview

overview

Static

static

3

bcfa3ad9b1...10.exe

windows7-x64

7

bcfa3ad9b1...10.exe

windows10-2004-x64

Sharing

General

Target

bcfa3ad9b1ba0c2d1352d94f8ff180da7456d7ba29d4570e809b083a5cb80c10
Size

135KB
Sample

240522-g8hgwafa9y
MD5

fc407f4e9875a20f081c5b7bd19e80e3
SHA1

f014e96a054d661d14df6d0212b56396eeaad52b
SHA256

bcfa3ad9b1ba0c2d1352d94f8ff180da7456d7ba29d4570e809b083a5cb80c10
SHA512

03f7e8ccbcdabd790141ebc5c20982dec667691e31a49c60f5ba9a71324e9fc1691343938646ebeee187608956fa32ef4dbc9312093a034e9245c522c8a1fe0e
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjK/:xPd4n/M+WLcilrpgGH/GwY87mVmIXP

Score

10^/10

remcos host persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bcfa3ad9b1ba0c2d1352d94f8ff180da7456d7ba29d4570e809b083a5cb80c10.exe

Resource

win7-20240221-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

bcfa3ad9b1ba0c2d1352d94f8ff180da7456d7ba29d4570e809b083a5cb80c10.exe

Resource

win10v2004-20240226-en

remcos host persistence rat

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  bcfa3ad9b1ba0c2d1352d94f8ff180da7456d7ba29d4570e809b083a5cb80c10
- Size
  
  135KB
- MD5
  
  fc407f4e9875a20f081c5b7bd19e80e3
- SHA1
  
  f014e96a054d661d14df6d0212b56396eeaad52b
- SHA256
  
  bcfa3ad9b1ba0c2d1352d94f8ff180da7456d7ba29d4570e809b083a5cb80c10
- SHA512
  
  03f7e8ccbcdabd790141ebc5c20982dec667691e31a49c60f5ba9a71324e9fc1691343938646ebeee187608956fa32ef4dbc9312093a034e9245c522c8a1fe0e
- SSDEEP
  
  1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjK/:xPd4n/M+WLcilrpgGH/GwY87mVmIXP
Score

10^/10

persistence remcos host rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- detects Windows exceutables potentially bypassing UAC using eventvwr.exe
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

remcoshostpersistencerat

© 2018-2024

Terms | Privacy