remcos | 294e5c76161635ca9f0f5ffe826a41df8b4633b5679823c2ce9eb3b1fe0641b1 | Triage

Sharing

General

Target

f6608b904a92e15496cece9cc754dbce_JaffaCakes118
Size

169KB
Sample

240925-tl9dasxfrf
MD5

f6608b904a92e15496cece9cc754dbce
SHA1

5cce0bb47db5735d12ce0495e50066d8fc8255dd
SHA256

294e5c76161635ca9f0f5ffe826a41df8b4633b5679823c2ce9eb3b1fe0641b1
SHA512

318e3a7faf2055516a6e67e5843a164fe0c52981e155186eb1e50782c19056fbeb672e499aef348e7639767ca08aa459b0b3b51de5a4f1c0e0d76cadea0fe1ba
SSDEEP

3072:AYx8tq909JZRvwNcbpVTkHEq8WzOjSZiU/2MeQMMoc4NDJD0R7T9FD1LI8jwjj4L:A08tAwJZRvAcVpovL32Goc4FJ4R71U85

Score

10^/10

remcos grace and mercy logs discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

grace and mercy logs

C2

103.153.77.83:4348

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Execel.exe
copy_folder
Execel
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Execel
keylog_path
%AppData%
mouse_option
false
mutex
Execel-X7W93K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Execel
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  Techline Services Inc.exe
- Size
  
  234KB
- MD5
  
  e2ccfaf4d44c36b5654174b3f341a2f9
- SHA1
  
  163ad4b931cf150d72b4408322f710d59fff96de
- SHA256
  
  cc17e0a75ce1d2770db5ab70177b9ffa3665d7c46290a9c61deef05e41fb48f2
- SHA512
  
  8b291eea1e2458ac3c6c5a97ceeb7184a672496da75f758249e6ac7f0533612610f286bfd203ea667017b880ca79fa58c392b4e62bed8ada4c0b14831c392fe9
- SSDEEP
  
  3072:SBkfJpRXATwMdFCcv6k3bpcmH0IvkHEq8bvgjSZiU/2MeQMMoc4EDJgTR7T9AD1s:SqjIprpvLoa532Goc42JERY1U8acYt
Score

10^/10

remcos grace and mercy logs discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fccff8cb7a1067e23fd2e2b63971a8e1
- SHA1
  
  30e2a9e137c1223a78a0f7b0bf96a1c361976d91
- SHA256
  
  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
- SHA512
  
  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
- SSDEEP
  
  192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  hjfeu2x8wxnb82.dll
- Size
  
  16KB
- MD5
  
  c5aeacd25be37723c7ffaab31ad6d639
- SHA1
  
  f5364bdbb0b85f15b61db6ddfea44d904481df46
- SHA256
  
  5b46289cb721008f2125b81abbe28be5ce09c9aafdbb19139b6f77ce921c0bc8
- SHA512
  
  3dc1b6d8b86674297d872efbbd9c3295a39d8ec9bf082982aea94de658d917e4b63ad762b8e1a738d29d06875625363fa02329a3cb5d48d9f40ba100145b98fe
- SSDEEP
  
  384:pa8Vjdm7Deaerqk+ln3IsPmKb2Jmk3K+Swfw:p1dm7DViqkun3I62J9f
Score

3^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosgrace and mercy logsdiscoveryrat

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6