remcos | e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b | Triage

Sharing

General

Target

e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b.vbs
Size

26KB
Sample

241022-cdrd3ssdjj
MD5

1c78cc71bf8db131a33f156feff9ec4d
SHA1

af06e517411ac017868488d8a7173bb2d5d98012
SHA256

e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b
SHA512

868f20c758607c5e98310a437eb621246928564936ab6fb311f825ec0554b1181eacbddd9335b897fe85e488fc2feba69009a5f5c5539a76f605c22ae5948a32
SSDEEP

384:XrCiX5aUO2sEZovx4IhH4iwTrUtngui1/92lP8oyrZsqfQAU:Xe+pvyl4vT4o3/rm

Score

10^/10

remcos rem discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Rem

C2

blackass.duckdns.org:65253

blackass.duckdns.org:53241

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-K8KWVT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b.vbs
- Size
  
  26KB
- MD5
  
  1c78cc71bf8db131a33f156feff9ec4d
- SHA1
  
  af06e517411ac017868488d8a7173bb2d5d98012
- SHA256
  
  e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b
- SHA512
  
  868f20c758607c5e98310a437eb621246928564936ab6fb311f825ec0554b1181eacbddd9335b897fe85e488fc2feba69009a5f5c5539a76f605c22ae5948a32
- SSDEEP
  
  384:XrCiX5aUO2sEZovx4IhH4iwTrUtngui1/92lP8oyrZsqfQAU:Xe+pvyl4vT4o3/rm
Score

10^/10

discovery execution remcos rem persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosremdiscoveryexecutionpersistencerat