remcos | 04e2b3bc57598265f2410a36ae3bea12b4b649bf9723db064ce2c297f2cff693 | Triage

Submit
Reports

Overview

overview

Static

static

1

F723838674.vbs

windows10-1703-x64

F723838674.vbs

windows10-2004-x64

Sharing

General

Target

F723838674.vbs
Size

111KB
Sample

240418-rrhresff25
MD5

301cae9576ee15a2f86fb974a8683d57
SHA1

a397ff4172a2fa6ccd1b11b2d4a07c74a5543310
SHA256

04e2b3bc57598265f2410a36ae3bea12b4b649bf9723db064ce2c297f2cff693
SHA512

f2216a07fc86ac3f3c9040315fb42e8773f999662d6b14c557a647a282742027be9a5d79eb0e102297582e7ad2f6db48ca165bfee920311029683442bac79591
SSDEEP

1536:cG2ctiU1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqGb5uJZUU0tKl9CP8Z:cG2BU1DHFUGmgURDFBe0tKl9CP4

Score

10^/10

remcos xworm zgrat remotehost persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

F723838674.vbs

Resource

win10-20240404-en

remcos xworm zgrat remotehost persistence rat trojan

windows10-1703-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

F723838674.vbs

Resource

win10v2004-20240412-en

remcos xworm zgrat remotehost persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

aprilxrwo8450.duckdns.org:8450

Mutex

qF5e3kU5MtcMqia2

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

C2

remco8100.duckdns.org:8100

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-G51VNO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  F723838674.vbs
- Size
  
  111KB
- MD5
  
  301cae9576ee15a2f86fb974a8683d57
- SHA1
  
  a397ff4172a2fa6ccd1b11b2d4a07c74a5543310
- SHA256
  
  04e2b3bc57598265f2410a36ae3bea12b4b649bf9723db064ce2c297f2cff693
- SHA512
  
  f2216a07fc86ac3f3c9040315fb42e8773f999662d6b14c557a647a282742027be9a5d79eb0e102297582e7ad2f6db48ca165bfee920311029683442bac79591
- SSDEEP
  
  1536:cG2ctiU1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqGb5uJZUU0tKl9CP8Z:cG2BU1DHFUGmgURDFBe0tKl9CP4
Score

10^/10

remcos xworm zgrat remotehost persistence rat trojan
- Detect Xworm Payload
- Detect ZGRat V1
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosxwormzgratremotehostpersistencerattrojan

behavioral2

remcosxwormzgratremotehostpersistencerattrojan

© 2018-2024

Terms | Privacy