Overview

overview

10

Static

static

1

Customs Ex...rm.vbs

windows7-x64

10

Customs Ex...rm.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c3d9a6a1290c8e33ca03a8ede1e154fc6a4b9f004b42194ff997569ed1f56518

  • Size

    10KB

  • Sample

    241010-ch3ynszfjq

  • MD5

    568d5fbaa207f1e4a31d5ec42412bf55

  • SHA1

    db000386354a901e0cce9fe64392d6fb16961d58

  • SHA256

    c3d9a6a1290c8e33ca03a8ede1e154fc6a4b9f004b42194ff997569ed1f56518

  • SHA512

    aaf39f457075c7ad1778492441c5708261c64acc047e42aa094afa26170f7a6c5b38e51a42a58ccb59fc68902f4e4dccc2cd518458fd03208c0e82235a6f7d25

  • SSDEEP

    192:EU2c7qw98R3z11Eh2l3aQEwy4HgklGExjgWNJmkthudqjl1tmuvAvKcslj2TP+L:B97z9S11/l3nEuHgklGK0AmkruIguovS

Score
10/10
remcosremotehostcollectiondiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.18.65:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-UXHRJ7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Customs Export Approval Clearance Certification form.vbs

    • Size

      19KB

    • MD5

      47d399062d4aff0aaf4af530b2abe8a5

    • SHA1

      2eb30689b62c98dfb081f39b8ea1a2fb4dc6a0c6

    • SHA256

      600be75e7c1aee18fbbd83a402f6ae6717813daff6e610a9d45a46f9c856c382

    • SHA512

      94882a06a23c92b12b4a33eb16d5000676bc7c3c71384def877b22a55201b1c019f6dc334589acec7ea6a2006b3fb1b1d83cc4438952cda74aac52e9226e7655

    • SSDEEP

      384:245uPIaVI9kcnqPIsLXZljDSL5dcWyJeWdClNCwSZxNmgA0:WPIaVI9NqAwZdSLsbCHSLNj

    Score
    10/10
    remcosremotehostcollectiondiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks