remcos | e50eab2b5a062ba0af3bec95fcf12637ac37e1d889c0cfbb6ae623d3bc25eb47 | Triage

Sharing

General

Target

svchost.vbs
Size

657KB
Sample

241111-v5xz2ssfra
MD5

640e23a0f55c4759add8aad509ace287
SHA1

1dffe657f1bdc51e0bbbdecb893fa66c171e7bb3
SHA256

e50eab2b5a062ba0af3bec95fcf12637ac37e1d889c0cfbb6ae623d3bc25eb47
SHA512

27e2b59d60d770a850e64600b7022ca5ddcab4b017e9d4aea6017e294fd70877b27d3b6b17618c10378d056e0bd5fba68356ff0d39e6af97cdbd0c88cd025913
SSDEEP

384:Tu/u/u/u/Hu/u/u/u/Hu/u/u/u/McQOkcGZI8bt2:6GGGWGGGWGGGjZkcwI8bt2

Score

10^/10

remcos nlk defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/0FK5ax2D

Extracted

Family

remcos

Botnet

Nlk

C2

comandoespecial2023.duckdns.org:8888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3PWW8O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  svchost.vbs
- Size
  
  657KB
- MD5
  
  640e23a0f55c4759add8aad509ace287
- SHA1
  
  1dffe657f1bdc51e0bbbdecb893fa66c171e7bb3
- SHA256
  
  e50eab2b5a062ba0af3bec95fcf12637ac37e1d889c0cfbb6ae623d3bc25eb47
- SHA512
  
  27e2b59d60d770a850e64600b7022ca5ddcab4b017e9d4aea6017e294fd70877b27d3b6b17618c10378d056e0bd5fba68356ff0d39e6af97cdbd0c88cd025913
- SSDEEP
  
  384:Tu/u/u/u/Hu/u/u/u/Hu/u/u/u/McQOkcGZI8bt2:6GGGWGGGWGGGjZkcwI8bt2
Score

10^/10

defense_evasion discovery execution remcos nlk rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

remcosnlkdefense_evasiondiscoveryexecutionrat