remcos | 670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b | Triage

Sharing

General

Target

Faktura_82666410_1361590461·pdf.vbe
Size

74KB
Sample

240930-jspblatejm
MD5

f1a0355012d13febdfb56ee8d2b38012
SHA1

38fb764e45b496b63b7a49713fac2b411cfc524b
SHA256

670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b
SHA512

5b2b82e2b7fef9f2d1725ee2a13a98c415880abb41e5c7c7d3fedaed67b7b3decc616f5f12ae9231859f01ca56b31fcf16d0da4b90904a740ad8ba8a882b27fa
SSDEEP

1536:spE42QeC4Ud8kA8fEXzY+gRj+u6/GgRIHSHMy+eQ74Zf:sprLeyAsEtu6uKAO5f

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Faktura_82666410_1361590461·pdf.vbe
- Size
  
  74KB
- MD5
  
  f1a0355012d13febdfb56ee8d2b38012
- SHA1
  
  38fb764e45b496b63b7a49713fac2b411cfc524b
- SHA256
  
  670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b
- SHA512
  
  5b2b82e2b7fef9f2d1725ee2a13a98c415880abb41e5c7c7d3fedaed67b7b3decc616f5f12ae9231859f01ca56b31fcf16d0da4b90904a740ad8ba8a882b27fa
- SSDEEP
  
  1536:spE42QeC4Ud8kA8fEXzY+gRj+u6/GgRIHSHMy+eQ74Zf:sprLeyAsEtu6uKAO5f
Score

10^/10

remcos remotehost discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionrat

behavioral2

remcosremotehostdiscoveryexecutionrat