remcos | e3fceaabe401036d5b259a767747f86c6563db8d122c87e70506ce84ad622638 | Triage

Submit
Reports

Overview

overview

Static

static

PO.exe

windows7_x64

PO.exe

windows10_x64

Sharing

General

Target

PO.exe
Size

167KB
Sample

210119-97hfas8h7n
MD5

b83b2773148e40f003ffd62920a88ab1
SHA1

c738d07984d406be0aa87d36eae86e7fa81f68b7
SHA256

e3fceaabe401036d5b259a767747f86c6563db8d122c87e70506ce84ad622638
SHA512

eb2b4286611d6515b72cafdef2c7f73626f86b73060d424862df6e9a5ff5fe29159ea6bb39e501a943e500d8404aecedaf5be07fe40aa49e5952e931895efa2e

Score

10^/10

remcos persistence rat spyware

Static task

static1

Behavioral task

behavioral1

Sample

PO.exe

Resource

win7v20201028

remcos persistence rat spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO.exe

Resource

win10v20201028

remcos persistence rat spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

C2

eileenwmsscm.duckdns.org:2558

Targets

- Target
  
  PO.exe
- Size
  
  167KB
- MD5
  
  b83b2773148e40f003ffd62920a88ab1
- SHA1
  
  c738d07984d406be0aa87d36eae86e7fa81f68b7
- SHA256
  
  e3fceaabe401036d5b259a767747f86c6563db8d122c87e70506ce84ad622638
- SHA512
  
  eb2b4286611d6515b72cafdef2c7f73626f86b73060d424862df6e9a5ff5fe29159ea6bb39e501a943e500d8404aecedaf5be07fe40aa49e5952e931895efa2e
Score

10^/10

remcos persistence rat spyware
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcospersistenceratspyware

behavioral2

remcospersistenceratspyware

© 2018-2024

Terms | Privacy