remcos | 8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433 | Triage

Submit
Reports

Overview

overview

Static

static

3

8ff4e6a597...33.exe

windows7-x64

8ff4e6a597...33.exe

windows10-2004-x64

Sharing

General

Target

8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433
Size

2.4MB
Sample

240513-lqe19ahg95
MD5

6e409c732339d8d71f87666d591f9856
SHA1

d9c0a478f02642fbbbc1c3739f765a754e7fad78
SHA256

8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433
SHA512

7a16b1e81379a2ad666b6c4ef5ebf610c5d63a6eecdb7452ac98e83da50cca5cbd4395fb41a0dec7f94fb92f16da2d32de45d8eb11585aaa3739c155a5e5971d
SSDEEP

49152:zlVv/kvowwe0hJzJiwK+zM5awNMaL2TQG9ivR6jfu4Wv+eys1n0qdT0luyKYA:L/g0hJzHzXvTQGfjfu5Ty006xy

Score

10^/10

remcos zgrat spacolombia persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe

Resource

win7-20240508-en

remcos zgrat spacolombia persistence rat

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe

Resource

win10v2004-20240426-en

zgrat persistence rat

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

spacolombia

C2

areaseguras.con-ip.com:2701

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
loggsd
keylog_path
%AppData%
mouse_option
false
mutex
Rmc12145501-WMWIXV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433
- Size
  
  2.4MB
- MD5
  
  6e409c732339d8d71f87666d591f9856
- SHA1
  
  d9c0a478f02642fbbbc1c3739f765a754e7fad78
- SHA256
  
  8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433
- SHA512
  
  7a16b1e81379a2ad666b6c4ef5ebf610c5d63a6eecdb7452ac98e83da50cca5cbd4395fb41a0dec7f94fb92f16da2d32de45d8eb11585aaa3739c155a5e5971d
- SSDEEP
  
  49152:zlVv/kvowwe0hJzJiwK+zM5awNMaL2TQG9ivR6jfu4Wv+eys1n0qdT0luyKYA:L/g0hJzHzXvTQGfjfu5Ty006xy
Score

10^/10

remcos zgrat spacolombia persistence rat
- Detect ZGRat V1
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoszgratspacolombiapersistencerat

behavioral2

zgratpersistencerat

© 2018-2024

Terms | Privacy