remcos | e42065b2d3de06cb244055718fe5fe7536fb74c40282d596814d88406ef709c1 | Triage

Sharing

General

Target

JaffaCakes118_e42065b2d3de06cb244055718fe5fe7536fb74c40282d596814d88406ef709c1
Size

452KB
Sample

241229-lm4v7sylev
MD5

fcf484c9a28867f4585d65918dc8e43d
SHA1

e030948fbede3e828e315fa3cad4ba54fb2dc163
SHA256

e42065b2d3de06cb244055718fe5fe7536fb74c40282d596814d88406ef709c1
SHA512

349891c82fc131056b270f38c7859ca282c63d333c91fb608ba380c441faf611cf32aa34fa4638a1c69855e9262702f249b1afe464a96c70e2738892d149ed78
SSDEEP

6144:g8LxB60+uhQMjtesLf0s7BFy/eP5Qky1NtbS/R9asZa2YL9dp:N+uhQMjtebozOXHSDasZar1

Score

10^/10

remcos jimbo discovery rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

jimbo

C2

wealthgod456.ddns.net:4479

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-6CWFR4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  New Order #86-55113,pdf.exe
- Size
  
  390KB
- MD5
  
  acbee350b83dd21753787b9b1588e0e0
- SHA1
  
  7f3c2ddc8ee02369273d0e4cce57ee8608d761a5
- SHA256
  
  b01e1958972ec443b2761f85f6aec66acfb99d239d4b402d5a345272c72738e7
- SHA512
  
  b7e6cd8e79306af8fdc2bf759be58525ec82ec1fa96b6dca66a6c563ba56ca6a28199b3cbc643abb63d4cfd2416633d4ffb4eb7ea924fe42bd366a90a1ce631a
- SSDEEP
  
  6144:A8LxB60+uhQMjtesLf0s7BFy/eP5Qky1NtbS/R9asZa2YL9dpl:t+uhQMjtebozOXHSDasZar1l
Score

10^/10

remcos jimbo discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/ydejjbwlzb.dll
- Size
  
  11KB
- MD5
  
  4aaa0bb30fa44bab0f47a1e9716885ae
- SHA1
  
  1417c687522222a7229c38fd7a9ce3aab3fb56f4
- SHA256
  
  83f56b8aacf3b7c6f319457eff4dffdff68256abb3e6d1f0e50263800deea83b
- SHA512
  
  711679b85b2d3fa4648ed50ab8feed372a1fbca278f12fb1f42d7d2c9cc1e3a6d7106e6d81aaa040cf277775290cc0ef8f540f2e8ec5d1b6d0898651cbf7d9b8
- SSDEEP
  
  192:pebILwJ3Z+iilHZKlo7fpnBXTGjQC9VHlxEw:gbIc/+2lo7fl9XC9vOw
Score

10^/10

remcos jimbo discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosjimbodiscoveryrat

behavioral2

behavioral3

remcosjimbodiscoveryrat

behavioral4

remcosjimbodiscoveryrat