remcos | 91b4c720f1aab6ec16c72f685e984b0342876ee5e09b593b4bcc6ad2461fd560 | Triage

Submit
Reports

Overview

overview

Static

static

9

Proforma H...df.exe

windows7_x64

Proforma H...df.exe

windows10-2004_x64

Sharing

General

Target

91b4c720f1aab6ec16c72f685e984b0342876ee5e09b593b4bcc6ad2461fd560
Size

456KB
Sample

220521-panj8sabcj
MD5

9c66c449f255e8e3f5f73c88576d80b1
SHA1

7e44cd8ecf422d63b659d3a891c387e80dd7ac45
SHA256

91b4c720f1aab6ec16c72f685e984b0342876ee5e09b593b4bcc6ad2461fd560
SHA512

4573d9f17fa423462e05f462e85f0a03b9321277442aeb4a454a41a7f97cd7ec26da824ca20147585bd755326bc261fbd4e2d3fe6c680c1086608a4e5396fbf9

Score

10^/10

remcos from jah coreentity rat rezer0

Static task

static1

Behavioral task

behavioral1

Sample

Proforma Haziran 21052020,pdf.exe

Resource

win7-20220414-en

remcos from jah coreentity rat rezer0

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Proforma Haziran 21052020,pdf.exe

Resource

win10v2004-20220414-en

remcos from jah rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

FROM JAH

C2

newdawn4me.ddns.net:7213

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-4F6INU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  Proforma Haziran 21052020,pdf.exe
- Size
  
  395KB
- MD5
  
  e8880257995f8f870b97aa0e6395c6fd
- SHA1
  
  134c29a50676ce8472ec8b978e056d6444ebaa16
- SHA256
  
  0f2679baa996e2944996f4162bfb2beeaff492e1e15a844fc9b66f60d3411793
- SHA512
  
  b2e689b15e1c6079a597c5360b4a30b3527138870456b1f4fe927fb386c6a5e4929c7d96445f97f03d73f4c9559d7bdd0367defc077a225a2faff86a26ea1b70
Score

10^/10

remcos from jah coreentity rat rezer0
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- CoreCCC Packer
  Detects CoreCCC packer used to load .NET malware.
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosfrom jahcoreentityratrezer0

behavioral2

remcosfrom jahrat

© 2018-2024

Terms | Privacy