remcos | 5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da | Triage

Submit
Reports

Overview

overview

Static

static

1

5422c02236...da.exe

windows7-x64

5422c02236...da.exe

windows10-2004-x64

Sharing

General

Target

5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da.exe
Size

904KB
Sample

240704-bttzgaxaqj
MD5

bce1d14cd2cb21d2a6a52de1b61516c6
SHA1

a112646015f9db212a207e1637abe3cc7bfa3408
SHA256

5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da
SHA512

001f9ef1cdb0f135335e1af087e8fb1d85028f8087777cd022751e693874dffe74672ad1350f4307ba752b4eceb33f8ad85a055d11045dfc45a114d97bcc7e4e
SSDEEP

12288:yHqGmfjIIK49UkXDGtvxrzV9gROZh6vRciD+yz1DCSnJ8LWCdEDvhF2xX8:e0RfqtZHV9gQZsSc+yzRCSnND5F2xs

Score

10^/10

remcos remotehost evasion execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da.exe

Resource

win7-20240611-en

remcos remotehost evasion execution persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da.exe

Resource

win10v2004-20240611-en

remcos remotehost evasion execution persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

newpage44.mywire.org:5010

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
skype.exe
copy_folder
skype
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GRUM7D
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da.exe
- Size
  
  904KB
- MD5
  
  bce1d14cd2cb21d2a6a52de1b61516c6
- SHA1
  
  a112646015f9db212a207e1637abe3cc7bfa3408
- SHA256
  
  5422c0223694ab7ffdb4968db24177c7bb0426e29b32b0f810192258c0af61da
- SHA512
  
  001f9ef1cdb0f135335e1af087e8fb1d85028f8087777cd022751e693874dffe74672ad1350f4307ba752b4eceb33f8ad85a055d11045dfc45a114d97bcc7e4e
- SSDEEP
  
  12288:yHqGmfjIIK49UkXDGtvxrzV9gROZh6vRciD+yz1DCSnJ8LWCdEDvhF2xX8:e0RfqtZHV9gQZsSc+yzRCSnND5F2xs
Score

10^/10

remcos remotehost evasion execution persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostevasionexecutionpersistencerattrojan

behavioral2

remcosremotehostevasionexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy