remcos | eb649852277e737fe080956068d124299fdc7ff604436217d4438b86e3057d16 | Triage

Sharing

General

Target

19092024_0633_REMIT120924001INV.vbs.rar
Size

65KB
Sample

240919-hbcqssvflh
MD5

43416b55270ebd11a46e2f083992c4dc
SHA1

da954f6cc0d09ac854010c55abc95737b7ef9046
SHA256

eb649852277e737fe080956068d124299fdc7ff604436217d4438b86e3057d16
SHA512

6cebd6cec72a5ca13d215aea488b9900e7075614c402cf403050bc9c5038af372b5d81f6899363038771dcdd6bf7ea897fafc453654fb1a33a137007772f8b37
SSDEEP

1536:vykXhTAv093rhHdJ1A7sP9GzgN4eyOU1nb:1Xhkv0prFL27o9GzAyVxb

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

remcos

Botnet

RemoteHost

C2

camzeroconnect.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GT4655
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  REMIT120924001INV.vbs
- Size
  
  235KB
- MD5
  
  98558b2ec2e09d0a52805237acac44a1
- SHA1
  
  2256fc67c1b5bb8d9ef9c409d28ce9f3bd8afcfa
- SHA256
  
  dd3734aa5d87840394392fa9969dde8187f2ae2c27ff1b897c0929f012e079c8
- SHA512
  
  4c23f8ae54375aacef98360f0a0a763aa232014a7732857f917109d62e1295aee351ffd6c6a6069acb0d5fc2bdd92c83faa320d5201bfe26186290d304f4ad89
- SSDEEP
  
  6144:FlHwv///MsXttab5C/jPe3CIFn42RilWv:FlHG///1Xtkb5CbPe3CKNklc
Score

10^/10

execution remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosremotehostdiscoveryexecutionrat