remcos | a288da382514561779cdd4412bc86378698b0dbbdfc80619113a2b1f068649a5 | Triage

Submit
Reports

Overview

overview

Static

static

3

689ef1d29c...af.exe

windows7-x64

689ef1d29c...af.exe

windows10-2004-x64

Sharing

General

Target

a288da382514561779cdd4412bc86378698b0dbbdfc80619113a2b1f068649a5
Size

733KB
Sample

240417-r841zsed6x
MD5

7643581f522bcd94719239582fdeeee3
SHA1

9fdb791316bd88f703b786e01f6de811c1987324
SHA256

a288da382514561779cdd4412bc86378698b0dbbdfc80619113a2b1f068649a5
SHA512

cf1539900e42c616af42fc79bd3e993a7b712db23c1138e75a124a4aec81b49fc2a5bee79ce9b7f344c447ffa15038888772890fc445bb35da8f0644825f49c3
SSDEEP

12288:VQhVUdNbp7CV6KISeH8zwq3RFz4LRXhqI8CuepBkPE4QFADaQZ53qsYurXHMn:6hV6zOVuS/8q3RFzQZhqIePWyDVBrXMn

Score

10^/10

remcos zgrat remotehost persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

689ef1d29c263f78c9626e00500983e2589d28068a72fadba9a4b04b7eafbcaf.exe

Resource

win7-20240221-en

zgrat persistence rat

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

689ef1d29c263f78c9626e00500983e2589d28068a72fadba9a4b04b7eafbcaf.exe

Resource

win10v2004-20240412-en

remcos zgrat remotehost persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

jburg.net:3363

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y4B0AA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  689ef1d29c263f78c9626e00500983e2589d28068a72fadba9a4b04b7eafbcaf.exe
- Size
  
  856KB
- MD5
  
  72f2460abc3ae41fff469e110f3eaff3
- SHA1
  
  066ba1993f24e959b03edef4940d1b5ee9f5e18a
- SHA256
  
  689ef1d29c263f78c9626e00500983e2589d28068a72fadba9a4b04b7eafbcaf
- SHA512
  
  7627f7b0cfc2ca14e788b840601edc5460b36c8e386d39b2eda2283600e192a9c83b1f5fec93ef7eff0a9e54d80ab523780149fae65116a9af77753e8b01fcc8
- SSDEEP
  
  12288:7c8K/isRopeArTI4C8ilPYO0bJm1hEpA4kpNOxJNWBfTgtfBjLkvGpMeUPDpVU13:vK/LRopDTI4VOcHxJobgVRJww6k
Score

10^/10

zgrat persistence rat remcos remotehost
- Detect ZGRat V1
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

zgratpersistencerat

behavioral2

remcoszgratremotehostpersistencerat

© 2018-2024

Terms | Privacy