remcos | 2c21f333c677a8b04e36895489a9f128ae531274f70d1153256bf9f7b9573e04

General

Target

nw.exe
Size

648KB
MD5

4ea7c3fd0dc66ab0c86b5eb31820e67b
SHA1

16934a4b08ad89f6c07d8597bbfc7dc524b53f38
SHA256

2c21f333c677a8b04e36895489a9f128ae531274f70d1153256bf9f7b9573e04
SHA512

65734ed988cc4179e1ef5c3db5792c6bd449df06c5622d563549fc032771f7ffdfda993ee4753e16512e7ad9ebfbcd4a3d28c680d182c2e37c7833329ed47907
SSDEEP

12288:IMptJoyuAlheVmn0crLs3wajuuqg2yRI1kyE4KWYDXlk5LY6lW:PJRuAlhEWb/sAaj5D2m4KTDXloLrg

Score

10^/10

remcos qemu-ga rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Qemu-ga

C2

185.239.237.197:443

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
CloudHost.xlm
keylog_flag
false
keylog_folder
Qemu-ga
keylog_path
%AppData%
mouse_option
false
mutex
Qemu-ga-RMACTM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1196	nw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1196	nw.exe

C:\Users\Admin\AppData\Local\Temp\nw.exe
"C:\Users\Admin\AppData\Local\Temp\nw.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Qemu-ga\CloudHost.xlm

Filesize
228B

MD5
28818eef79d3f95821ff0135373a3b94

SHA1
9795655bc5837edf90dcaac256a2ea56e51eb29e

SHA256
0e54ba6b832bd72163455a17dcf34506e42c6cd938611ed5ab074372ae85ba51

SHA512
cad1cfe3d7bc60834aa3ca4c6199c37e12eb34b41d689c8da280ab5d473f433c5e6c016cd04801f4139ff3e0461c28a9b5f73a60912dd956e24311972177caa4

Download Submit
C:\Users\Admin\AppData\Roaming\Qemu-ga\CloudHost.xlm

Filesize
144B

MD5
59ec0b32e985057ff1b63dfe86b3509f

SHA1
bf693588a04141b0e7d0727701533c389c5cd128

SHA256
015617902d065ae29dfca02472a4cd852fc5875f269d21550e91d62ca43d134f

SHA512
6d561301e1561a01d6da0223bf0c0a3974b0accfd7733d25ad41c3f570691af4923524562da497ed7a7e863c95a341e008c5ea0cc44474ef56d0ce6990a0dc1a

Download Submit
memory/1196-75-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-83-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-59-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-60-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-61-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-62-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-65-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-66-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-70-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-71-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-72-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-73-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-54-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-57-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-58-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-80-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-77-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-81-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-82-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-78-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-87-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-88-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-92-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-93-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-99-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-100-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-56-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-111-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/1196-112-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing