remcos

General

Target

love.exe
Size

378KB
Sample

241226-zc72rsyngz
MD5

e83915bdfb53ea92d7c658df791ee350
SHA1

8491c706d9d3ea15ff499c9dd987578edaea7b26
SHA256

6f97b94fb0193b0a04080a069af5c0c04a47d92886379a4cb85d8905ebff93ce
SHA512

f91e068d35104c81109128b05592591edced18e0a07b052b847a1461f2900541fdc369630e7fc8b0950bbde8335627e3fd30cf058f00bb277d925d9f4a1daccd
SSDEEP

1536:SHqDZO7Obu55kNep+0Ze0fgZwRgg/JMbw3/uTh/y0qsmM4ZdyNNnttBQxLfPKgoN:SHq9O7ObPNghM42UyF

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Extracted

Path

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\svchost\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  love.exe
- Size
  
  378KB
- MD5
  
  e83915bdfb53ea92d7c658df791ee350
- SHA1
  
  8491c706d9d3ea15ff499c9dd987578edaea7b26
- SHA256
  
  6f97b94fb0193b0a04080a069af5c0c04a47d92886379a4cb85d8905ebff93ce
- SHA512
  
  f91e068d35104c81109128b05592591edced18e0a07b052b847a1461f2900541fdc369630e7fc8b0950bbde8335627e3fd30cf058f00bb277d925d9f4a1daccd
- SSDEEP
  
  1536:SHqDZO7Obu55kNep+0Ze0fgZwRgg/JMbw3/uTh/y0qsmM4ZdyNNnttBQxLfPKgoN:SHq9O7ObPNghM42UyF
Score

10^/10

remcos revengerat wannacry warzonerat guest host bootkit credential_access defense_evasion discovery evasion execution impact infostealer persistence ransomware rat rezer0 stealer trojan upx worm
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- UAC bypass
  evasion trojan
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Renames multiple (52) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- RevengeRat Executable
  stealer
- Warzone RAT payload
  rat
- Disables Task Manager via registry modification
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1