remcos

General

Target

4aebbec0edebbe61d2245514793ab647_JaffaCakes118
Size

1.3MB
Sample

240331-c49ckscc5x
MD5

4aebbec0edebbe61d2245514793ab647
SHA1

cba8ca7e8f7d1160dd041de408375fe72f6e4edb
SHA256

bd7c06c6abb5fffe264a20b08aca73e7da11f2450cc8b9ecc63591d41ef83ccc
SHA512

b1e2a1a1e71c57a0b84ea9f22ecd373b5fdfc2f4bc76ed9a94bdea56d58353cc1ac6e63d91313b9515edf468a99468e6f9b483f0e8fc65766e30af35b9a46c63
SSDEEP

24576:39UKkwSAggCSmwqiv7ltfjoHR/k+rXfaEKP7CHx9tCmONcmNdc:t8w9rCHX2l18HR/nrvaN7gfgg9

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

C2

cacgroups.hopto.org:3927

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-ANIYHH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  4aebbec0edebbe61d2245514793ab647_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  4aebbec0edebbe61d2245514793ab647
- SHA1
  
  cba8ca7e8f7d1160dd041de408375fe72f6e4edb
- SHA256
  
  bd7c06c6abb5fffe264a20b08aca73e7da11f2450cc8b9ecc63591d41ef83ccc
- SHA512
  
  b1e2a1a1e71c57a0b84ea9f22ecd373b5fdfc2f4bc76ed9a94bdea56d58353cc1ac6e63d91313b9515edf468a99468e6f9b483f0e8fc65766e30af35b9a46c63
- SSDEEP
  
  24576:39UKkwSAggCSmwqiv7ltfjoHR/k+rXfaEKP7CHx9tCmONcmNdc:t8w9rCHX2l18HR/nrvaN7gfgg9
Score

10^/10

remcos zgrat remotehost rat spyware stealer
- Detect ZGRat V1
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect ZGRat V1

ZGRat

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2