remcos | 2b05753bc632ec1b4f66631be14ddd5757a56cb5d1593b7c86f386b3e8672968 | Triage

Submit
Reports

Overview

overview

Static

static

1

2b05753bc6..._JC.js

windows7-x64

8

2b05753bc6..._JC.js

windows10-2004-x64

Sharing

General

Target

2b05753bc632ec1b4f66631be_JC.unknown
Size

2KB
Sample

230721-vf67esfh9t
MD5

e040670bac3e2ee10dc266c6bf6c07d9
SHA1

5a63414e2485bce19531562cbf033a83bcc2580e
SHA256

2b05753bc632ec1b4f66631be14ddd5757a56cb5d1593b7c86f386b3e8672968
SHA512

4b717f54dea8e631051f78f6687c3eecf1d4dabdc9ee798d61ed6b3c96581b9a8a5055d5ac6527a463a9bde0b2e14b9b360ee9e60d9312a42d9b67a464442d5d

Score

10^/10

remcos btc persistence rat upx

Static task

static1

Behavioral task

behavioral1

Sample

2b05753bc632ec1b4f66631be_JC.js

Resource

win7-20230712-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

2b05753bc632ec1b4f66631be_JC.js

Resource

win10v2004-20230703-en

remcos btc persistence rat upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

BTC

C2

zoonm.ddns.net:9001

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
vlc.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6FL95Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  2b05753bc632ec1b4f66631be_JC.unknown
- Size
  
  2KB
- MD5
  
  e040670bac3e2ee10dc266c6bf6c07d9
- SHA1
  
  5a63414e2485bce19531562cbf033a83bcc2580e
- SHA256
  
  2b05753bc632ec1b4f66631be14ddd5757a56cb5d1593b7c86f386b3e8672968
- SHA512
  
  4b717f54dea8e631051f78f6687c3eecf1d4dabdc9ee798d61ed6b3c96581b9a8a5055d5ac6527a463a9bde0b2e14b9b360ee9e60d9312a42d9b67a464442d5d
Score

10^/10

remcos btc persistence rat upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

remcosbtcpersistenceratupx

© 2018-2024

Terms | Privacy