remcos | cdd015bb970f15ec1bfaadf63e9b87d5d9e51d4c2a4ea0bb4c36575b966b09a9 | Triage

Submit
Reports

Overview

overview

Static

static

DOC142022.exe

windows7-x64

DOC142022.exe

windows10-2004-x64

Resubmissions

14/09/2022, 16:10

220914-tmlzdseedq 10

14/09/2022, 16:04

220914-th1lzsagd4 10

Sharing

Copy URL Twitter E-mail

General

Target

cfff920df51ca0e010062ea53e6ae105-sample.zip
Size

735KB
Sample

220914-th1lzsagd4
MD5

0374b1d3dceae598d69695ecc7003e93
SHA1

a2f20255e792264d58284a4676f7e10fc9ce3f69
SHA256

cdd015bb970f15ec1bfaadf63e9b87d5d9e51d4c2a4ea0bb4c36575b966b09a9
SHA512

a77eeed0e19b3f96d9bc0610502c96b5dd211933fcf892c1f640374ae41c49367b120bc52cc64be18b3603cbc579fcd2f72e188df5d20a54992c093ea6952cea
SSDEEP

12288:K2Ppb05uXfto3bc9msbpaSf216vcOIxuWeuPwVAp/2MYS6Jhyg89qmZPLQiJ2YmR:K2Y5OfIbBsBr1jWeuoVeoygxIPLf0JVL

Score

10^/10

remcos remotehost rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

DOC142022.exe

Resource

win7-20220812-en

remcos remotehost rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

DOC142022.exe

Resource

win10v2004-20220812-en

remcos remotehost rat spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sonic.exe
copy_folder
yakkk
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chrome
keylog_path
%AppData%
mouse_option
false
mutex
gsgjdwg-ZS6D2R
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
fuckuuuuu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  DOC142022.exe
- Size
  
  1.9MB
- MD5
  
  c9ce608e838b99094bd69a506ae37396
- SHA1
  
  a1046c7515f52ee2b3698435846624a7059c299b
- SHA256
  
  851d8f137eed8081c52a9da90b1dfce86b710adb03c330bc43c9c54ea820bfd7
- SHA512
  
  cf1fe67c217f20138d0c789ff35c2cbd2736e7d3dff7d6a105664a48d0e13bc8a3e68c3af66b9e7bb9f33f75bb075f4e499348290f3603c2af34abe5685b3513
- SSDEEP
  
  24576:HV66mN6m96mV6mz6mb6ml6mC6mj6mcD6mE6mGbFsVB7auPOzUBS:wD7HhJjQ9SDeUsFOA
Score

10^/10

remcos remotehost rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Downloads MZ/PE file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostratspywarestealer

behavioral2

remcosremotehostratspywarestealer

© 2018-2025

Terms | Privacy