remcos | 828c067539368aee17656ddb7d1c95f9567d7f2bd80b876cabbeed104556f98b | Triage

Submit
Reports

Overview

overview

Static

static

1

d34424d4ff...cf.rtf

windows7-x64

d34424d4ff...cf.rtf

windows10-2004-x64

1

Sharing

General

Target

d34424d4ff9030116dedad2314fabbcf.rtf
Size

27KB
Sample

230607-fejbmshd7x
MD5

d34424d4ff9030116dedad2314fabbcf
SHA1

e8f114e73f8f856483d652344b4ba9334e5b0a14
SHA256

828c067539368aee17656ddb7d1c95f9567d7f2bd80b876cabbeed104556f98b
SHA512

261455fc69be967af26b3158fa606b07045adee3009c2719005bc359568652d30566066c3e87d1d1854298de746b3de3ec5622d5c2f4287af46522eee9876018
SSDEEP

384:6XbGESBab/Y3lb3JBe8o6enzwWC1orexFp2L+3+FEgTrNuHbMU+DUf/wMY/K2Qeg:ofSBx3DenzwWWoafmi/+r4HbrRb2Q75

Score

10^/10

remcos remotehost collection rat

Static task

static1

Behavioral task

behavioral1

Sample

d34424d4ff9030116dedad2314fabbcf.rtf

Resource

win7-20230220-en

remcos remotehost collection rat

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

d34424d4ff9030116dedad2314fabbcf.rtf

Resource

win10v2004-20230220-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

divdemoce.duckdns.org:35639

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
dtas.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-GZATCK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  d34424d4ff9030116dedad2314fabbcf.rtf
- Size
  
  27KB
- MD5
  
  d34424d4ff9030116dedad2314fabbcf
- SHA1
  
  e8f114e73f8f856483d652344b4ba9334e5b0a14
- SHA256
  
  828c067539368aee17656ddb7d1c95f9567d7f2bd80b876cabbeed104556f98b
- SHA512
  
  261455fc69be967af26b3158fa606b07045adee3009c2719005bc359568652d30566066c3e87d1d1854298de746b3de3ec5622d5c2f4287af46522eee9876018
- SSDEEP
  
  384:6XbGESBab/Y3lb3JBe8o6enzwWC1orexFp2L+3+FEgTrNuHbMU+DUf/wMY/K2Qeg:ofSBx3DenzwWWoafmi/+r4HbrRb2Q75
Score

10^/10

remcos remotehost collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosremotehostcollectionrat

behavioral2

© 2018-2024

Terms | Privacy