remcos | 6a9869c98547c0566c4f3462ab529cc0a72e9c5f35f5767773575196f68f44ab | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Scan Copy06.js
Size

873KB
Sample

221121-k5llxacf49
MD5

90a8d36688fde3d0e06e101388baf1e1
SHA1

f36ba8657a332a72996c5aee51d3af45a68bbcb5
SHA256

6a9869c98547c0566c4f3462ab529cc0a72e9c5f35f5767773575196f68f44ab
SHA512

492e5d2e7a3a05906b6a521f6e6c8dafb6c32fd6da2a4075d69429f1750053302e81e96d5e282cd7281b3f9d53586f104ee6afbc59398d2d7b918e97d693c0dd
SSDEEP

12288:nBi1CUqtHhlYWwP2r0dNB8wDzyNfQyp/Yx76SKFRtYFhAc/kdP1WgZwfraDCa:nBizUDOyid0p

Score

10^/10

remcos vjw0rm remotehost evasion persistence rat trojan worm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.139.105.174:3132

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y0T2QT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Scan Copy06.js
- Size
  
  873KB
- MD5
  
  90a8d36688fde3d0e06e101388baf1e1
- SHA1
  
  f36ba8657a332a72996c5aee51d3af45a68bbcb5
- SHA256
  
  6a9869c98547c0566c4f3462ab529cc0a72e9c5f35f5767773575196f68f44ab
- SHA512
  
  492e5d2e7a3a05906b6a521f6e6c8dafb6c32fd6da2a4075d69429f1750053302e81e96d5e282cd7281b3f9d53586f104ee6afbc59398d2d7b918e97d693c0dd
- SSDEEP
  
  12288:nBi1CUqtHhlYWwP2r0dNB8wDzyNfQyp/Yx76SKFRtYFhAc/kdP1WgZwfraDCa:nBizUDOyid0p
Score

10^/10

remcos vjw0rm remotehost evasion persistence rat trojan worm
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosvjw0rmremotehostevasionpersistencerattrojanworm

behavioral2

remcosvjw0rmremotehostevasionpersistencerattrojanworm