remcos | 9c8d938fa26b1e84b232b42fa28ec29a4ae1346096da76bba7e426acb8b14ba6 | Triage

Sharing

General

Target

c28cd37019c977a5a411bf72607e0a3e_JaffaCakes118
Size

479KB
Sample

240826-jgrbtasekh
MD5

c28cd37019c977a5a411bf72607e0a3e
SHA1

19e5f78ea897b2665057a8f69b6f049db5e400e0
SHA256

9c8d938fa26b1e84b232b42fa28ec29a4ae1346096da76bba7e426acb8b14ba6
SHA512

2c391d450a90a546dae9a3c27575324cf4c97164b4efa9b50a84cdfd8236bc14e349f39c1de44b1304879ec53c4c872ffbb5cb9796f2b483936c793a7fc5d2ae
SSDEEP

3072:5gO4/iKv9kK6hCrn495ZDkY2w7L3cflBoCqSMzNosB8bgC8BNJD5ctKmIhT6qC19:Z/ht9Hgt+C4pzK58ButcdEvmvSk8b5

Score

10^/10

remcos doc-plugin discovery rat

Malware Config

Extracted

Family

remcos

Botnet

DOC-Plugin

C2

iwantcheats.xyz:1348

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
tyu.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
dfchgghFTYcfthc-GDL63T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

DOC-Plugin

C2

iwantcheats.xyz:1348

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
tyu.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
dfchgghFTYcfthc-GDL63T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  c28cd37019c977a5a411bf72607e0a3e_JaffaCakes118
- Size
  
  479KB
- MD5
  
  c28cd37019c977a5a411bf72607e0a3e
- SHA1
  
  19e5f78ea897b2665057a8f69b6f049db5e400e0
- SHA256
  
  9c8d938fa26b1e84b232b42fa28ec29a4ae1346096da76bba7e426acb8b14ba6
- SHA512
  
  2c391d450a90a546dae9a3c27575324cf4c97164b4efa9b50a84cdfd8236bc14e349f39c1de44b1304879ec53c4c872ffbb5cb9796f2b483936c793a7fc5d2ae
- SSDEEP
  
  3072:5gO4/iKv9kK6hCrn495ZDkY2w7L3cflBoCqSMzNosB8bgC8BNJD5ctKmIhT6qC19:Z/ht9Hgt+C4pzK58ButcdEvmvSk8b5
Score

10^/10

remcos doc-plugin discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Drops startup file
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Scripting

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosdoc-plugindiscoveryrat

behavioral2

remcosdoc-plugindiscoveryrat