remcos | 45fc6967935f84f02714f9ac150f6c7ff75ca0c51b45a6816840e70cdd4e280b | Triage

Submit
Reports

Overview

overview

Static

static

1

shipping documents.js

windows7-x64

shipping documents.js

windows10-2004-x64

Sharing

General

Target

shipping documents.js
Size

671KB
Sample

240819-qk4jwazbjq
MD5

81c64242c41cb08fb5128c12435a2158
SHA1

ca09545b9d458f8be936994f2a886fd62adb0a6b
SHA256

45fc6967935f84f02714f9ac150f6c7ff75ca0c51b45a6816840e70cdd4e280b
SHA512

55b22d2e13ab013efefff3a6ebb19089b97531ed6a6593df74994e1f946adfa84adee9aa488a0688ad7caa9f5cc38ac3a2e03919b524afb744f829186d07e995
SSDEEP

12288:ljglKDTe5LWuz7rFaXXSTIUqIb8avc9AFjIpu6gXyP4jrWJ9YjXZOETws6MpBj+j:+vq0Z6udjVEG6UILx

Score

10^/10

remcos boma -august-crypt-tools- uju discovery execution persistence rat upx

Static task

static1

Behavioral task

behavioral1

Sample

shipping documents.js

Resource

win7-20240705-en

discovery execution

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

shipping documents.js

Resource

win10v2004-20240802-en

remcos boma -august-crypt-tools- uju discovery execution persistence rat upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

remcos

Botnet

BOMA -AUGUST-CRYPT-TOOLS- UJU

C2

myfrontmannysix.ddns.net:4939

backupfrontmanny.duckdns.org:4939

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
dghf.exe
copy_folder
uiyk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
jjs-djk-skd-3M43BB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  shipping documents.js
- Size
  
  671KB
- MD5
  
  81c64242c41cb08fb5128c12435a2158
- SHA1
  
  ca09545b9d458f8be936994f2a886fd62adb0a6b
- SHA256
  
  45fc6967935f84f02714f9ac150f6c7ff75ca0c51b45a6816840e70cdd4e280b
- SHA512
  
  55b22d2e13ab013efefff3a6ebb19089b97531ed6a6593df74994e1f946adfa84adee9aa488a0688ad7caa9f5cc38ac3a2e03919b524afb744f829186d07e995
- SSDEEP
  
  12288:ljglKDTe5LWuz7rFaXXSTIUqIb8avc9AFjIpu6gXyP4jrWJ9YjXZOETws6MpBj+j:+vq0Z6udjVEG6UILx
Score

10^/10

discovery execution remcos boma -august-crypt-tools- uju persistence rat upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosboma -august-crypt-tools- ujudiscoveryexecutionpersistenceratupx

© 2018-2025

Terms | Privacy