remcos | 609aaa35ee7b0582cb3e1e4e9f76d647c98377dac62eca602bf318578b61576f | Triage

Sharing

General

Target

30180908_signedpdf.vbs
Size

33KB
Sample

241129-k8k5jssnck
MD5

33788adfb67a0e0bf5a5fe58cb9c5617
SHA1

a62c45afa541fdcccc5c97c432c78ce55b0a7a5b
SHA256

609aaa35ee7b0582cb3e1e4e9f76d647c98377dac62eca602bf318578b61576f
SHA512

9da759eba3eee9ed6d1b804ed8d26f1f59831d49543e393b6adf462343d98dbefabc0314c673b31a4c52857e0d975edbb8304c0e1ee7a375fd71f446ab655a50
SSDEEP

768:WuEasaYzR+s1z3NkQpyhZ6d4nl3pVVCStrppuAP:zEasd+a3iQpy/V3/UStF3P

Score

10^/10

remcos remotehost discovery evasion rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  30180908_signedpdf.vbs
- Size
  
  33KB
- MD5
  
  33788adfb67a0e0bf5a5fe58cb9c5617
- SHA1
  
  a62c45afa541fdcccc5c97c432c78ce55b0a7a5b
- SHA256
  
  609aaa35ee7b0582cb3e1e4e9f76d647c98377dac62eca602bf318578b61576f
- SHA512
  
  9da759eba3eee9ed6d1b804ed8d26f1f59831d49543e393b6adf462343d98dbefabc0314c673b31a4c52857e0d975edbb8304c0e1ee7a375fd71f446ab655a50
- SSDEEP
  
  768:WuEasaYzR+s1z3NkQpyhZ6d4nl3pVVCStrppuAP:zEasd+a3iQpy/V3/UStF3P
Score

10^/10

remcos remotehost discovery evasion rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryevasionrattrojan

behavioral2

remcosremotehostdiscoveryevasionrattrojan