remcos | b4eff9a95f5eeeaee8c4e4a8ce366f478acf9f309e1df6db8a93375045982c5a | Triage

Sharing

General

Target

b4eff9a95f5eeeaee8c4e4a8ce366f478acf9f309e1df6db8a93375045982c5a.vbs
Size

15KB
Sample

241126-drkdcsxrfn
MD5

84183b62bf0c860efeaea9604efbfe3a
SHA1

4cc58ad007613902ff2118cb7091042f37ba394f
SHA256

b4eff9a95f5eeeaee8c4e4a8ce366f478acf9f309e1df6db8a93375045982c5a
SHA512

916c80269eec78f3391e67819a3fa9a4a64a52a2e7909c5a2a3f310211e1aba01534a932f6df06df8d70ec0ea7d641c7e5b9b5e527045a6f27b65a128f19a81b
SSDEEP

384:WxaWEl8MDBPMpf/X1tBoCPSn5otbq+4Xs4kDyLuoWt:gEl8MDBPy3X7BoBCtbq+4XspDyHWt

Score

10^/10

remcos remotehost discovery evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

gnsuw4-nsh6-mnsg.duckdns.org:3613

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8OIXMO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b4eff9a95f5eeeaee8c4e4a8ce366f478acf9f309e1df6db8a93375045982c5a.vbs
- Size
  
  15KB
- MD5
  
  84183b62bf0c860efeaea9604efbfe3a
- SHA1
  
  4cc58ad007613902ff2118cb7091042f37ba394f
- SHA256
  
  b4eff9a95f5eeeaee8c4e4a8ce366f478acf9f309e1df6db8a93375045982c5a
- SHA512
  
  916c80269eec78f3391e67819a3fa9a4a64a52a2e7909c5a2a3f310211e1aba01534a932f6df06df8d70ec0ea7d641c7e5b9b5e527045a6f27b65a128f19a81b
- SSDEEP
  
  384:WxaWEl8MDBPMpf/X1tBoCPSn5otbq+4Xs4kDyLuoWt:gEl8MDBPy3X7BoBCtbq+4XspDyHWt
Score

10^/10

remcos remotehost discovery evasion execution rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryevasionexecutionrattrojan

behavioral2

remcosremotehostdiscoveryevasionexecutionrattrojan