remcos | b2a00a736c7f3cc7212c99c445c222c589c08fdffbb0085d0688a857b081eec1 | Triage

Sharing

General

Target

Invoice and Shipping Documents.vbs
Size

746KB
Sample

230531-jxn7dsea9x
MD5

2e188db658ebc70144969efb50d393c9
SHA1

1ad0c15103ae290e3abda82ef43192f4d1468a22
SHA256

b2a00a736c7f3cc7212c99c445c222c589c08fdffbb0085d0688a857b081eec1
SHA512

5c3cb88a312c6c73fc5b216418fcd2ec30c579c65985adf048e2fa88a579a302a2518cd0fabd0fb476155e09d980d8a633ee1e143811e1dc7436170181318e15
SSDEEP

3072:MGKGXwfkYFEhNe4VTdRnTT8w4TWx5f1gCpDf2CG9NBZqs6AOg4cpz+og0S7wQzSM:PrwfkYFe9YZq5Aq

Score

10^/10

remcos 2023 gee host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

2023 gee Host

C2

davidwong4ghost.ddnsking.com:2030

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
wuauclt.exe
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-5CGBHV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Invoice and Shipping Documents.vbs
- Size
  
  746KB
- MD5
  
  2e188db658ebc70144969efb50d393c9
- SHA1
  
  1ad0c15103ae290e3abda82ef43192f4d1468a22
- SHA256
  
  b2a00a736c7f3cc7212c99c445c222c589c08fdffbb0085d0688a857b081eec1
- SHA512
  
  5c3cb88a312c6c73fc5b216418fcd2ec30c579c65985adf048e2fa88a579a302a2518cd0fabd0fb476155e09d980d8a633ee1e143811e1dc7436170181318e15
- SSDEEP
  
  3072:MGKGXwfkYFEhNe4VTdRnTT8w4TWx5f1gCpDf2CG9NBZqs6AOg4cpz+og0S7wQzSM:PrwfkYFe9YZq5Aq
Score

10^/10

remcos 2023 gee host persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcos2023 gee hostpersistencerat