remcos | 885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5 | Triage

Sharing

General

Target

0481f43c7f5b88e571514182c7ed5f64
Size

457KB
Sample

210726-7rhezxfyzj
MD5

0481f43c7f5b88e571514182c7ed5f64
SHA1

6b597b3ddb06f3d68323c43a3d000452a115501d
SHA256

885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5
SHA512

a7d260045043187546a437a5d708eabffcd339648a45cc23b175fc3cba996551f696dd3b114b1630be6e23324b63906788ffe5cf93e3849b382c30d391b6d9ba

Score

10^/10

remcos warzonerat host infostealer persistence rat spyware stealer suricata

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

dpqw-avira.bot.nu:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
explorer.exe
copy_folder
windows
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_abihghbcgbxx#
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
pdf
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Targets

- Target
  
  0481f43c7f5b88e571514182c7ed5f64
- Size
  
  457KB
- MD5
  
  0481f43c7f5b88e571514182c7ed5f64
- SHA1
  
  6b597b3ddb06f3d68323c43a3d000452a115501d
- SHA256
  
  885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5
- SHA512
  
  a7d260045043187546a437a5d708eabffcd339648a45cc23b175fc3cba996551f696dd3b114b1630be6e23324b63906788ffe5cf93e3849b382c30d391b6d9ba
Score

10^/10

remcos warzonerat host infostealer persistence rat spyware stealer suricata
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcoswarzonerathostinfostealerpersistenceratspywarestealersuricata

behavioral2

remcoswarzonerathostinfostealerpersistenceratspywarestealersuricata