remcos

General

Target

Automann- Order2#44096882.docx.doc
Size

223KB
Sample

230602-k97pyaag49
MD5

6289f704ef31176ffb10651e49aaec23
SHA1

39d2546f846c3289cda8ed8bd4f29d6605185bd9
SHA256

4b172b60f17d77d8823fa4ca37a01908102b0bd8caaf181dc2279bb99a292ec4
SHA512

deeeb1f625fe1b91873924f1ae6833b6e897d45d9b2d00df2e673fd971e9845a020f0c3564ebb3def4c1e20c6654a58dc77fc2e122b6fc01e999e45a5f8ea4a8
SSDEEP

6144:bkt6V6sxlSg/fO32zNOBb1SSAP0LKIQIPbR6w6Vab6W:It6V6sj/flzMpAP0LKILPV6w6sb6W

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

divdemoce.duckdns.org:35639

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
dtas.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-GZATCK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Automann- Order2#44096882.docx.doc
- Size
  
  223KB
- MD5
  
  6289f704ef31176ffb10651e49aaec23
- SHA1
  
  39d2546f846c3289cda8ed8bd4f29d6605185bd9
- SHA256
  
  4b172b60f17d77d8823fa4ca37a01908102b0bd8caaf181dc2279bb99a292ec4
- SHA512
  
  deeeb1f625fe1b91873924f1ae6833b6e897d45d9b2d00df2e673fd971e9845a020f0c3564ebb3def4c1e20c6654a58dc77fc2e122b6fc01e999e45a5f8ea4a8
- SSDEEP
  
  6144:bkt6V6sxlSg/fO32zNOBb1SSAP0LKIQIPbR6w6Vab6W:It6V6sj/flzMpAP0LKILPV6w6sb6W
Score

10^/10

remcos remotehost collection discovery rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2