Overview

overview

10

Static

static

1

HENIKENPLA...df.vbs

windows7-x64

8

HENIKENPLA...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12112024_2354_HENIKENPLANT PROJECT PROPOSAL BID_24-0976�pdf.vbs.zip

  • Size

    46KB

  • Sample

    241112-3yaj6ssmf1

  • MD5

    b8139620c62a11d5da99bdfa7be91a54

  • SHA1

    3986c0f96338ace1be1685732c47f83e015c4f15

  • SHA256

    2dab1acea5b79b5bb50211ea2b6f9c62059c5c1dc0bdd26a82e3b8a22a685330

  • SHA512

    a0bc41d49607e892b2deb40b239b219485a21d776574ca9ff3f368b028dafd0b54d16c3ca33633c3c7ead20317809124d7300c95901e11a744a46fd932e03108

  • SSDEEP

    768:GEFQOVLjf0gRHK0G7/wpTGnnrqsb7YSxDoVYGrn9mRSRBjPM1VJdw0HwUMg4/1/L:GEqOVLjf0gRHsITGnVYuDoCGbktVJFnq

Score
10/10
remcosremotehostdiscoveryevasionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dvlqrd8dhs.duckdns.org:46063

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-0IGFAQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      HENIKENPLANT PROJECT PROPOSAL BID_24-0976·pdf.vbs

    • Size

      86KB

    • MD5

      acd9a75b2f33064da7ebef088ed16cb9

    • SHA1

      8f51e47a0454c8032e2ecd90f85bb115e80b5f35

    • SHA256

      cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4

    • SHA512

      06525377cfdc4e75fab11fd907a65c611bb9c880fe56bc68b3baa108b266e472813d3824969d6e6584c6b7d90b65379dfc633a15ef17bf24705a8195a5c657b3

    • SSDEEP

      1536:970ty9v0kvBGd9pOpuoNvhvJELsj+qOhkqXzkx5c3cYdg51VWXaAj2yTk:9Qk9vh5U9QLzFOhbwx5c3cYdqVWrTk

    Score
    10/10
    discoveryremcosremotehostevasionrattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks