remcos | 9c020f4f97c6fa58dd08d893d80442113527ef83880c0ecf2a4eb8d32a64fbab | Triage

Submit
Reports

Overview

overview

Static

static

0x00060000...35.exe

windows7-x64

0x00060000...35.exe

windows10-2004-x64

Sharing

General

Target

0x0006000000022f79-135.dat
Size

469KB
Sample

221004-nj75kabagk
MD5

def2429e8b8234c26faccdc4737f819b
SHA1

c412343ad47d1bec84df30f9ba951179bb2e78d8
SHA256

9c020f4f97c6fa58dd08d893d80442113527ef83880c0ecf2a4eb8d32a64fbab
SHA512

99d152eb4921b80763e47c9310320c1e86d9efdf0ac7ecf1cb785155cbd52bfb2a1a7d61f001a69ada561660176947ee8d69a2c780634f632c95da3a0af0203c
SSDEEP

12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSXn9:WiLJbpI7I2WhQqZ7X9

Score

10^/10

remcos new microsoft collection persistence phishing rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0x0006000000022f79-135.exe

Resource

win7-20220812-en

remcos new collection persistence rat spyware stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

0x0006000000022f79-135.exe

Resource

win10v2004-20220812-en

remcos new microsoft collection persistence phishing rat spyware stealer

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

NEW

C2

remcapi.duckdns.org:2028

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
FILE.EXE
copy_folder
work
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-L9LQMY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
file
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0x0006000000022f79-135.dat
- Size
  
  469KB
- MD5
  
  def2429e8b8234c26faccdc4737f819b
- SHA1
  
  c412343ad47d1bec84df30f9ba951179bb2e78d8
- SHA256
  
  9c020f4f97c6fa58dd08d893d80442113527ef83880c0ecf2a4eb8d32a64fbab
- SHA512
  
  99d152eb4921b80763e47c9310320c1e86d9efdf0ac7ecf1cb785155cbd52bfb2a1a7d61f001a69ada561660176947ee8d69a2c780634f632c95da3a0af0203c
- SSDEEP
  
  12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSXn9:WiLJbpI7I2WhQqZ7X9
Score

10^/10

remcos new collection persistence rat spyware stealer microsoft phishing
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosnewcollectionpersistenceratspywarestealer

behavioral2

remcosnewmicrosoftcollectionpersistencephishingratspywarestealer

© 2018-2024

Terms | Privacy