remcos | e38472a309a8c98d56f4d3384be87b4f619f93c8af02ca9c08236e20987b380c | Triage

Sharing

General

Target

asegurar.vbs
Size

28.3MB
Sample

241108-phrlvsscnd
MD5

c0ed2b0e377b227dfb57b9a15d2aa4ca
SHA1

38682b968d3129be8a3f09adab322d43b0696626
SHA256

e38472a309a8c98d56f4d3384be87b4f619f93c8af02ca9c08236e20987b380c
SHA512

666a0318951de29990c44a7221a7d35f486465d615036342f1634f88f8c57988f408ead979f9d3aa00780db8c07fb225324cff1343f1d1c01c09f781fbf41630
SSDEEP

192:GmpppdpppdpppQvvK6/OkFpbN0RwdU+0lKUntFw/MPKh:XpppdpppdpppyiQOkctymA

Score

10^/10

remcos nt defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/J6uRjZrv

Extracted

Family

remcos

Botnet

Nt

C2

sremc.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-29CPLV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  asegurar.vbs
- Size
  
  28.3MB
- MD5
  
  c0ed2b0e377b227dfb57b9a15d2aa4ca
- SHA1
  
  38682b968d3129be8a3f09adab322d43b0696626
- SHA256
  
  e38472a309a8c98d56f4d3384be87b4f619f93c8af02ca9c08236e20987b380c
- SHA512
  
  666a0318951de29990c44a7221a7d35f486465d615036342f1634f88f8c57988f408ead979f9d3aa00780db8c07fb225324cff1343f1d1c01c09f781fbf41630
- SSDEEP
  
  192:GmpppdpppdpppQvvK6/OkFpbN0RwdU+0lKUntFw/MPKh:XpppdpppdpppyiQOkctymA
Score

10^/10

defense_evasion discovery execution remcos nt rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

remcosntdefense_evasiondiscoveryexecutionrat