remcos | 07565a7b310e8082d9cfdaea1f0990c5b21ec6c08001272414cf63869019aa24 | Triage

Sharing

General

Target

FAKTURA-pdf-466366332.vbs
Size

484KB
Sample

241004-k2rczszdjh
MD5

90bd9fa957050b3641726fd4bb173281
SHA1

4fd94ee79b46a075b9cc10f9ceecaad705a19bf8
SHA256

07565a7b310e8082d9cfdaea1f0990c5b21ec6c08001272414cf63869019aa24
SHA512

769ec466d81b2fdc7e19741c0b71b41be1e746a0b582ff5913148b40993e7f6ab074ff73e44f4392bead209bba98a819cffaf4e8469ef44beaf1d54d435d1099
SSDEEP

12288:fCQNJjr/mJJw5NbHSoBFy8oJTaaPlI7lyxeBs9YVYzGqsYBnwhRD8PHNUvvtCC+y:46E9qAPuVb

Score

10^/10

remcos octobers discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Extracted

Family

remcos

Botnet

OCTOBERs

C2

ab9001.ddns.net:31944

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
VLC.exe
copy_folder
VLC
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Chrorne-CKQJ2Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Rmc
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  FAKTURA-pdf-466366332.vbs
- Size
  
  484KB
- MD5
  
  90bd9fa957050b3641726fd4bb173281
- SHA1
  
  4fd94ee79b46a075b9cc10f9ceecaad705a19bf8
- SHA256
  
  07565a7b310e8082d9cfdaea1f0990c5b21ec6c08001272414cf63869019aa24
- SHA512
  
  769ec466d81b2fdc7e19741c0b71b41be1e746a0b582ff5913148b40993e7f6ab074ff73e44f4392bead209bba98a819cffaf4e8469ef44beaf1d54d435d1099
- SSDEEP
  
  12288:fCQNJjr/mJJw5NbHSoBFy8oJTaaPlI7lyxeBs9YVYzGqsYBnwhRD8PHNUvvtCC+y:46E9qAPuVb
Score

10^/10

discovery execution remcos octobers rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosoctobersdiscoveryexecutionrat