Overview

overview

10

Static

static

3

fa24f9da95...18.exe

windows7-x64

9

fa24f9da95...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fa24f9da95f1fc7861963a6f7b023b48_JaffaCakes118

  • Size

    1.1MB

  • Sample

    241218-fcxq9avmhm

  • MD5

    fa24f9da95f1fc7861963a6f7b023b48

  • SHA1

    fc374ac00c7d1f6c1ccba36cd0a15347093597e6

  • SHA256

    e291787eb38a6bd40ca70158d8873ee4f9d8efe22906edf703f0ea2b8af3c248

  • SHA512

    ac9c01e5da811bb448113fd11974b4bcc979b5ac4bce127ef0f15891c0d5e4af28f1a10df22da800090969c9d8b4e37d6d7866885217788e84fda69748fd885c

  • SSDEEP

    24576:5IZhz+5Biv4lGJl39zRvpRsw6LLAnqrkh:5ChyivBr1Rv4w6vAnqgh

Score
10/10
remcosremotehostdiscoveryevasionrat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHost

C2

45.137.22.101:5888

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-3RVIAE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      fa24f9da95f1fc7861963a6f7b023b48_JaffaCakes118

    • Size

      1.1MB

    • MD5

      fa24f9da95f1fc7861963a6f7b023b48

    • SHA1

      fc374ac00c7d1f6c1ccba36cd0a15347093597e6

    • SHA256

      e291787eb38a6bd40ca70158d8873ee4f9d8efe22906edf703f0ea2b8af3c248

    • SHA512

      ac9c01e5da811bb448113fd11974b4bcc979b5ac4bce127ef0f15891c0d5e4af28f1a10df22da800090969c9d8b4e37d6d7866885217788e84fda69748fd885c

    • SSDEEP

      24576:5IZhz+5Biv4lGJl39zRvpRsw6LLAnqrkh:5ChyivBr1Rv4w6vAnqgh

    Score
    10/10
    discoveryevasionremcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks