remcos | 4ab223a4ed0eaced6dc3a2cc74953a453770bb030336f349cd37f2ef24b65c30 | Triage

Sharing

General

Target

sostener.vbs
Size

2.8MB
Sample

240826-fj5ensxfjr
MD5

9f31e7ec269ef7f755b7bd75e0579b18
SHA1

bdfa3e314195f23437a420782b4912e60a685a96
SHA256

4ab223a4ed0eaced6dc3a2cc74953a453770bb030336f349cd37f2ef24b65c30
SHA512

9aec4444247c4f4b8c0a0203dec53abc3fe64de2c2e86de79e57ecd003920d2ffacef90c09afcfdb51e61df98dcc3423feeaa97eade1a6e6854adc8ff10e8b3c
SSDEEP

192:8rkrkrErErErErErkrkrErErErErErkrkrErErErErErkrkrErErErErErkrkrE1:2WPE09IvR4

Score

10^/10

remcos matrix fenix*discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Extracted

Family

remcos

Botnet

Matrix Fenix*

C2

newssssssssssssss.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XDNGQ0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  sostener.vbs
- Size
  
  2.8MB
- MD5
  
  9f31e7ec269ef7f755b7bd75e0579b18
- SHA1
  
  bdfa3e314195f23437a420782b4912e60a685a96
- SHA256
  
  4ab223a4ed0eaced6dc3a2cc74953a453770bb030336f349cd37f2ef24b65c30
- SHA512
  
  9aec4444247c4f4b8c0a0203dec53abc3fe64de2c2e86de79e57ecd003920d2ffacef90c09afcfdb51e61df98dcc3423feeaa97eade1a6e6854adc8ff10e8b3c
- SSDEEP
  
  192:8rkrkrErErErErErkrkrErErErErErkrkrErErErErErkrkrErErErErErkrkrE1:2WPE09IvR4
Score

10^/10

execution remcos matrix fenix*discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosmatrix fenix*discoveryexecutionrat