remcos | 56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325 | Triage

Sharing

General

Target

56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
Size

1.7MB
Sample

230103-f4cv6aaa39
MD5

f83cb2f595ba590173ecc32fe1a4f957
SHA1

8f70abe57d708789e9c56ad98386c40253224758
SHA256

56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
SHA512

ac095b7d37ede5b2d4c31fe2f6a0317726d5a95d90aaba1fa8bb642e608f6c3cb6b2438140729e8d1b56ae8ff3b364db41d0fd12cb19acac267d857edf7c3d6b
SSDEEP

24576:rAOcZGRcaQLzZAZ5WCGXZ2El/5DVvnrjsNNIJhYPZwyI3Tr+Mo5pemHI0YuyqI8u:tBQvZAZ4zJXvMNN8YBdcxo5EmHWqI8u

Score

10^/10

remcos vjw0rm explorer wds evasion persistence rat trojan worm

Malware Config

Extracted

Family

remcos

Botnet

EXPLORER WDs

C2

198.23.207.34:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-563ZPZ
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
PingPongWD
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
- Size
  
  1.7MB
- MD5
  
  f83cb2f595ba590173ecc32fe1a4f957
- SHA1
  
  8f70abe57d708789e9c56ad98386c40253224758
- SHA256
  
  56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
- SHA512
  
  ac095b7d37ede5b2d4c31fe2f6a0317726d5a95d90aaba1fa8bb642e608f6c3cb6b2438140729e8d1b56ae8ff3b364db41d0fd12cb19acac267d857edf7c3d6b
- SSDEEP
  
  24576:rAOcZGRcaQLzZAZ5WCGXZ2El/5DVvnrjsNNIJhYPZwyI3Tr+Mo5pemHI0YuyqI8u:tBQvZAZ4zJXvMNN8YBdcxo5EmHWqI8u
Score

10^/10

remcos vjw0rm explorer wds evasion persistence rat trojan worm
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosvjw0rmexplorer wdsevasionpersistencerattrojanworm

behavioral2

remcosvjw0rmexplorer wdsevasionpersistencerattrojanworm