remcos | cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4 | Triage

Sharing

General

Target

cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4.vbs
Size

86KB
Sample

241113-de2rwavfrb
MD5

acd9a75b2f33064da7ebef088ed16cb9
SHA1

8f51e47a0454c8032e2ecd90f85bb115e80b5f35
SHA256

cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4
SHA512

06525377cfdc4e75fab11fd907a65c611bb9c880fe56bc68b3baa108b266e472813d3824969d6e6584c6b7d90b65379dfc633a15ef17bf24705a8195a5c657b3
SSDEEP

1536:970ty9v0kvBGd9pOpuoNvhvJELsj+qOhkqXzkx5c3cYdg51VWXaAj2yTk:9Qk9vh5U9QLzFOhbwx5c3cYdqVWrTk

Score

10^/10

remcos remotehost discovery evasion rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dvlqrd8dhs.duckdns.org:46063

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0IGFAQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4.vbs
- Size
  
  86KB
- MD5
  
  acd9a75b2f33064da7ebef088ed16cb9
- SHA1
  
  8f51e47a0454c8032e2ecd90f85bb115e80b5f35
- SHA256
  
  cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4
- SHA512
  
  06525377cfdc4e75fab11fd907a65c611bb9c880fe56bc68b3baa108b266e472813d3824969d6e6584c6b7d90b65379dfc633a15ef17bf24705a8195a5c657b3
- SSDEEP
  
  1536:970ty9v0kvBGd9pOpuoNvhvJELsj+qOhkqXzkx5c3cYdg51VWXaAj2yTk:9Qk9vh5U9QLzFOhbwx5c3cYdqVWrTk
Score

10^/10

discovery remcos remotehost evasion rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosremotehostdiscoveryevasionrattrojan