remcos | a46173f3115e45f7a55120e49b3a625d5198d1ea0b600a174ad05a27b9d3f92d | Triage

Sharing

General

Target

a46173f3115e45f7a55120e49b3a625d5198d1ea0b600a174ad05a27b9d3f92d.vbs
Size

156KB
Sample

240516-slc5esaf55
MD5

8a2a1b975419f7619d9580c2974ecdbc
SHA1

684125ffbbb03a5c1950976f8730d68dd01e5a63
SHA256

a46173f3115e45f7a55120e49b3a625d5198d1ea0b600a174ad05a27b9d3f92d
SHA512

02c6faa7fb9ecfeacc31468766a4ec7697d3a54c3dd0b98d9e0876c1135e468175f2e62a4344210843b9fff8e32068b65119d4a29b871c2414b11426d6dadb22
SSDEEP

1536:ZlGd99CObiFCocEW1aJK66n5yhtW0/5JpWn4ctDg0BhbUZlu9gISsRf:bGdw9JK6X/vcxg0Bhcg

Score

10^/10

remcos protected collection execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Protected

C2

janbours92harbu01.duckdns.org:3980

janbours92harbu01.duckdns.org:3981

janbours92harbu02.duckdns.org:3980

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
kajsoiestc.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
aksoiestgb-1YOAXH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  a46173f3115e45f7a55120e49b3a625d5198d1ea0b600a174ad05a27b9d3f92d.vbs
- Size
  
  156KB
- MD5
  
  8a2a1b975419f7619d9580c2974ecdbc
- SHA1
  
  684125ffbbb03a5c1950976f8730d68dd01e5a63
- SHA256
  
  a46173f3115e45f7a55120e49b3a625d5198d1ea0b600a174ad05a27b9d3f92d
- SHA512
  
  02c6faa7fb9ecfeacc31468766a4ec7697d3a54c3dd0b98d9e0876c1135e468175f2e62a4344210843b9fff8e32068b65119d4a29b871c2414b11426d6dadb22
- SSDEEP
  
  1536:ZlGd99CObiFCocEW1aJK66n5yhtW0/5JpWn4ctDg0BhbUZlu9gISsRf:bGdw9JK6X/vcxg0Bhcg
Score

10^/10

remcos protected collection execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosprotectedcollectionexecutionpersistencerat

behavioral2

remcosprotectedexecutionpersistencerat