remcos | e9062b389f195ee7e6069dc65455ff755d58e89879c16a853dd5095ba290d8dd | Triage

Sharing

General

Target

JaffaCakes118_e9062b389f195ee7e6069dc65455ff755d58e89879c16a853dd5095ba290d8dd
Size

630KB
Sample

241222-g35p8axnar
MD5

3e6c4e69e2525a15778e03e078e58d98
SHA1

4821c208e7b2e87c7668a9fe8c145725d107c2e8
SHA256

e9062b389f195ee7e6069dc65455ff755d58e89879c16a853dd5095ba290d8dd
SHA512

755a89e83a73f4595fe719ae2560aa5c8584b30d50a9132eb5cbb1f0a792a5d1c486ed2965039d626866a777830929618dc754adcc4c071d9531e7a595849173
SSDEEP

12288:/tSQ/nVpWXX5DreifLGQbbv3NDOsnJ3FDKhYF5Sz29dlLGbL57eLrKE:lSQ/nWYetbZBn++SzMQyvKE

Score

10^/10

remcos grace-log discovery execution rat

Malware Config

Extracted

Family

remcos

Version

3.0.1 Pro

Botnet

grace-log

C2

103.114.107.184:20903

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chrome.exe
copy_folder
chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chrome
keylog_path
%AppData%
mouse_option
false
mutex
chrome-HJWT0Z
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
chrome
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  SKBMT_ Bank Transfer Notification 9880B904_ PDF.exe
- Size
  
  830KB
- MD5
  
  36e01a35015bb0f32f6e488aaaab5e12
- SHA1
  
  65cd21c6e6203e6d07e95a6a77124286d43cbbbf
- SHA256
  
  0a9f29a917636cc7f9a8c087046d5712e2c23ef103bce73a1f56d913336728d5
- SHA512
  
  4ac48c95f0e30b66deb37d8a2d432eb0be396dc7af7436fa4f916812c9dd3d365d314f3f0dad82ae196546001d96d4495107b6448820d65111d28244a49cf2d4
- SSDEEP
  
  24576:GJ+Jkfw1F4ArlMPWRcXBJN6G3xxmYGyr:GA6O4ArlMuSgGhxay
Score

10^/10

remcos grace-log discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosgrace-logdiscoveryexecutionrat

behavioral2

remcosgrace-logdiscoveryexecutionrat