remcos | d86206ff8c66f58ccf62d599a169fae3f250af701ef166bed4e566aded9c5704 | Triage

Sharing

General

Target

b0e3c9ecb2cbab4f3f697bfe6c28fa28_JaffaCakes118
Size

1.5MB
Sample

240616-aq7kqavfmq
MD5

b0e3c9ecb2cbab4f3f697bfe6c28fa28
SHA1

b10ca2dec7389dfa62fb324e08db375cfd215923
SHA256

d86206ff8c66f58ccf62d599a169fae3f250af701ef166bed4e566aded9c5704
SHA512

30cd4940aefcf21d60bea7c77a69aa6676a3135b6e8b1db1525d0808ccb1e67ab959f1462326158df7b9e8f1601afb8b754853061596d66f35f9fcbb0c036d19
SSDEEP

24576:cvyWSQzUgsnF8fEhd25SFg4ctaVhLhuZSFIHFVao+N1Or8lECARJAbWbrQ/gQQoj:n

Score

10^/10

remcos zgrat ablcpanyc persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.2 Pro

Botnet

ablcpanyc

C2

remmy.anythingwithalogo.ltd:30092

remmy.weichertfinancail.com:30091

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
amdrivers.exe
copy_folder
AMDI
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
7373hdjdhljd098381-ZYSJV4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
AMDI
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b0e3c9ecb2cbab4f3f697bfe6c28fa28_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  b0e3c9ecb2cbab4f3f697bfe6c28fa28
- SHA1
  
  b10ca2dec7389dfa62fb324e08db375cfd215923
- SHA256
  
  d86206ff8c66f58ccf62d599a169fae3f250af701ef166bed4e566aded9c5704
- SHA512
  
  30cd4940aefcf21d60bea7c77a69aa6676a3135b6e8b1db1525d0808ccb1e67ab959f1462326158df7b9e8f1601afb8b754853061596d66f35f9fcbb0c036d19
- SSDEEP
  
  24576:cvyWSQzUgsnF8fEhd25SFg4ctaVhLhuZSFIHFVao+N1Or8lECARJAbWbrQ/gQQoj:n
Score

10^/10

remcos zgrat ablcpanyc persistence rat
- Detect ZGRat V2
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoszgratablcpanycpersistencerat

behavioral2