remcos | aefc8dd2e95e88d5553864818b68c0ba5426b6ba0234da56d64cbfee030297a0 | Triage

Sharing

General

Target

JaffaCakes118_aefc8dd2e95e88d5553864818b68c0ba5426b6ba0234da56d64cbfee030297a0
Size

1.3MB
Sample

241230-29fpwswmd1
MD5

63983c6ccdc3bbb924d8f589edd07d02
SHA1

4512ef2acaad14e25d83d62bfa52e197bb632c45
SHA256

aefc8dd2e95e88d5553864818b68c0ba5426b6ba0234da56d64cbfee030297a0
SHA512

6ef9c0b069b581af78a0cc9c379ad917ce19c13410a43f5ea973cd30f1c7d138a89625ce77ec36000045da873dfe05fc2ba2ac9def998a9fcd58535c1d00d6b8
SSDEEP

24576:jOXHmVa2t3BCU73TcsiEI2U5xUBvxXkcgBUYRDQxSLaKfy2frmscW+EMy5D5r2t7:jRVz3CEIQKcgBTRDQ4jfB6/W+EX5r2t7

Score

10^/10

remcos grace_2021 discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

Grace_2021

C2

jamaru1444.myftp.biz:2019

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
win32.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NLZOMN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
win
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  b766e6f83882eeb863ead8d6da23f8725771efc97b974240eaff856f8365c041
- Size
  
  1.3MB
- MD5
  
  201ae8144aced76058811bcf23070290
- SHA1
  
  f0949cd0a1b002d70385e3ee147df20b64a8542e
- SHA256
  
  b766e6f83882eeb863ead8d6da23f8725771efc97b974240eaff856f8365c041
- SHA512
  
  8dd789fff082f4e872bf4e592ff4fab749d38cad26f543b9399d39125b8019a1f4fc957d8dc297c88fe7dd1b41eea07cadfe7492a04400c15a82a959a0ee7930
- SSDEEP
  
  24576:FyiWFOB4sNYg2yWQCsMMKSfVrgEEAhmeKKYwOIscs+mXjr6:pB4zgWQ+MFfVrg8hmxKNPs7pf
Score

10^/10

remcos grace_2021 discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosgrace_2021discoverypersistencerat

behavioral2

remcosgrace_2021discoverypersistencerat