remcos | afbd22ee9bd00bc71554de232ad2864d09011d0c5b8092b192172db9a58abda2 | Triage

Submit
Reports

Overview

overview

Static

static

1

Arrival Notice.vbs

windows7-x64

Arrival Notice.vbs

windows10-2004-x64

Sharing

General

Target

Arrival Notice.vbs
Size

10KB
Sample

241216-jyt42aspam
MD5

edd6dd584636576b9ed73d01a8dc2d71
SHA1

fa62d8bdc40beecdf037ed9da244730c685716ee
SHA256

afbd22ee9bd00bc71554de232ad2864d09011d0c5b8092b192172db9a58abda2
SHA512

d92a481d431ff3e8e7bd280299f6cb69b01592c14248d9077f32b4b7080d31c1cf0e599e87cfcd5b2ae2817b728c991b86d51d28c8ce8846eb04b2b503b216eb
SSDEEP

192:rz+4vQA3AcB5wF3VtGBpHvFoY0+PcazUpa4N1FPE0Jcct9n72f:v+4vX3AcBKtCPHvOYBP7QMwjECtlQ

Score

10^/10

remcos remotehost collection discovery rat

Static task

static1

Behavioral task

behavioral1

Sample

Arrival Notice.vbs

Resource

win7-20241010-en

remcos remotehost collection discovery rat

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Arrival Notice.vbs

Resource

win10v2004-20241007-en

remcos remotehost collection discovery rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.17.190:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3W6OXK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Arrival Notice.vbs
- Size
  
  10KB
- MD5
  
  edd6dd584636576b9ed73d01a8dc2d71
- SHA1
  
  fa62d8bdc40beecdf037ed9da244730c685716ee
- SHA256
  
  afbd22ee9bd00bc71554de232ad2864d09011d0c5b8092b192172db9a58abda2
- SHA512
  
  d92a481d431ff3e8e7bd280299f6cb69b01592c14248d9077f32b4b7080d31c1cf0e599e87cfcd5b2ae2817b728c991b86d51d28c8ce8846eb04b2b503b216eb
- SSDEEP
  
  192:rz+4vQA3AcB5wF3VtGBpHvFoY0+PcazUpa4N1FPE0Jcct9n72f:v+4vX3AcBKtCPHvOYBP7QMwjECtlQ
Score

10^/10

remcos remotehost collection discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcollectiondiscoveryrat

behavioral2

remcosremotehostcollectiondiscoveryrat

© 2018-2024

Terms | Privacy