Overview

overview

10

Static

static

1

babc0e3f52...91.vbs

windows7-x64

8

babc0e3f52...91.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    babc0e3f52501b3128c5b0d806696a82c6575d7194a721d0e354d9bc7b077d91.vbs

  • Size

    14KB

  • Sample

    240827-dhfzks1fjk

  • MD5

    329dfc361f947067523bc6bd4ede3704

  • SHA1

    6a4af6bf2e7a18546baf6400265a11aa497ef7d5

  • SHA256

    babc0e3f52501b3128c5b0d806696a82c6575d7194a721d0e354d9bc7b077d91

  • SHA512

    0a72676837420fd796a4103ab36f998864dc51d88d5c5a0fa7cff3d809a9cd6bde2ca36f98ef2d65f2eb8ecef8d2a2f70e8f9ee5b6d7594da3910177215fc791

  • SSDEEP

    384:48a2+xQ8ihF50q7d395LE7UPJmxNSiMFpW7:4lxQRh3R3952gW24

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

rcmx.duckdns.org:57870

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-C6XZAO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      babc0e3f52501b3128c5b0d806696a82c6575d7194a721d0e354d9bc7b077d91.vbs

    • Size

      14KB

    • MD5

      329dfc361f947067523bc6bd4ede3704

    • SHA1

      6a4af6bf2e7a18546baf6400265a11aa497ef7d5

    • SHA256

      babc0e3f52501b3128c5b0d806696a82c6575d7194a721d0e354d9bc7b077d91

    • SHA512

      0a72676837420fd796a4103ab36f998864dc51d88d5c5a0fa7cff3d809a9cd6bde2ca36f98ef2d65f2eb8ecef8d2a2f70e8f9ee5b6d7594da3910177215fc791

    • SSDEEP

      384:48a2+xQ8ihF50q7d395LE7UPJmxNSiMFpW7:4lxQRh3R3952gW24

    Score
    10/10
    executionremcosremotehostdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks