remcos | f57baf38587fe0245e396c9b57664994be9a6f92e96d959fb251a6b7f00ddad5 | Triage

Sharing

General

Target

17aabf6d007520c94f8df8196c8066b6_JaffaCakes118
Size

288KB
Sample

240505-pnejgsdc34
MD5

17aabf6d007520c94f8df8196c8066b6
SHA1

941456ee84371a09d11e4b15f3887f660e260d34
SHA256

f57baf38587fe0245e396c9b57664994be9a6f92e96d959fb251a6b7f00ddad5
SHA512

b78e80fe53080cfee4e75ac481f199243f68a6c662ff691604247fc06ae306ce65680b4f7d31e5f2d65795752508e6c1b63a1150a49a073d3adea57e72fb5cd9
SSDEEP

6144:AuBQ3fWB3qOyuBGrl3/8xhKqwX7oAGdb+bDt6GbkLgHp7Lm:AuielqAB0P5qMGmDtzALcp7

Score

10^/10

remcos zgrat remotehost agilenet rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.84.181.89:3363

185.84.181.89:3362

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-MRGC3E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

185.84.181.89:3363

185.84.181.89:3362

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-MRGC3E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  17aabf6d007520c94f8df8196c8066b6_JaffaCakes118
- Size
  
  288KB
- MD5
  
  17aabf6d007520c94f8df8196c8066b6
- SHA1
  
  941456ee84371a09d11e4b15f3887f660e260d34
- SHA256
  
  f57baf38587fe0245e396c9b57664994be9a6f92e96d959fb251a6b7f00ddad5
- SHA512
  
  b78e80fe53080cfee4e75ac481f199243f68a6c662ff691604247fc06ae306ce65680b4f7d31e5f2d65795752508e6c1b63a1150a49a073d3adea57e72fb5cd9
- SSDEEP
  
  6144:AuBQ3fWB3qOyuBGrl3/8xhKqwX7oAGdb+bDt6GbkLgHp7Lm:AuielqAB0P5qMGmDtzALcp7
Score

10^/10

remcos zgrat remotehost agilenet rat
- Detect ZGRat V1
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

remcoszgratremotehostagilenetrat

behavioral2

remcoszgratremotehostagilenetrat