remcos

General

Target

dbcc133f852cf1c898fd71db2f0f09153c55577a7c8f0886882d52713ecb186f
Size

1.2MB
Sample

231212-la8cvscac5
MD5

e498c9b3458651c78ca99a3b1936ca12
SHA1

be68a3baca77108317a09e3eb0da79b2bb0239b8
SHA256

dbcc133f852cf1c898fd71db2f0f09153c55577a7c8f0886882d52713ecb186f
SHA512

c5eddd5ccd8a6c16541397aa212ba3b9debc88fce5bfe247f16c5e7f23646c4f7440926c4384b2808993c9e396dc92369ed1d637e119d2faea498bc1eba0940f
SSDEEP

24576:LpBx8FYm5k48ZNEvPcwkcy2uH3edcUdqgU5gYhhcbspUPhv:L5Tm5kavPdRZuuWUknvst

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes

Install_directory
%AppData%
install_file
XWorm V5.2 Optimized.exe

Extracted

Family

remcos

Botnet

RemoteHost

C2

104.250.180.178:7902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
AnyDesk.exe
copy_folder
AnyDesk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
AnyDesk
mouse_option
false
mutex
AnyDesk-8BNQK6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr
- Size
  
  447KB
- MD5
  
  c824d690e03774ac57c0967f721e09e3
- SHA1
  
  b4f4db1fbb3606a94618b8fc783ceecb9bd2a4d8
- SHA256
  
  cf632203d1e3b90e91deacdd99295bd81807e8de345d1716472eef5557c33ce1
- SHA512
  
  8741063e5f1f73848dcf3043675b20f3142b818d27a068034a79e4a4bed38a59294293f5e58306b495e4d141d4909d7fb61ab5ca8d1ebee62831ad411030377f
- SSDEEP
  
  12288:S3IU8S6eUdJe4AYn1svkGWFWKvBo7gG3BU:IItSAdJZ+O6g
Score

10^/10

xworm zgrat rat trojan
- Detect Xworm Payload
- Detect ZGRat V1
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  UPDATED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1219 , SO 6722.DOC.scr
- Size
  
  869KB
- MD5
  
  4f0c56459b4f0e8f51502e434d1ffc24
- SHA1
  
  b36e6bd0cf69d7b0258ace48f01feff65a6fb4c5
- SHA256
  
  ae86206a568d280d3e030ec9649148ff98b59c6e3cd25e78094cc53631b674d7
- SHA512
  
  e34912e2840cc9991eb4102ede29f85b0cc812fa1e44d19a0fa5b7397bf207f6e0b374c5e121cffc69e63b9fc8c11113c1c70a66e2d756cc27d9692fd93b7ea3
- SSDEEP
  
  24576:UItSAd7nDUHhpSahNdsUdKgU/CY/hkpqV+sjU5:UtN/PaUERXBa
Score

10^/10

remcos zgrat remotehost persistence rat
- Detect ZGRat V1
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4