remcos | 49644e61132239cc3341a322a4aa23a66f7e033f9c31784fb83284403ab798a9 | Triage

Submit
Reports

Overview

overview

Static

static

3

Camscanner...23.exe

windows10-2004-x64

Resubmissions

12/07/2023, 09:47

230712-lsla2sdg3v 10

12/07/2023, 09:38

230712-lme7vacf85 10

Sharing

General

Target

Camscanner_07_12_2023.tar.gz
Size

512KB
Sample

230712-lsla2sdg3v
MD5

264bcb37e89df1245c890664a796ba84
SHA1

00bb39b552f3a1869eff3f82e673f16d14260654
SHA256

49644e61132239cc3341a322a4aa23a66f7e033f9c31784fb83284403ab798a9
SHA512

03b799d8befc32015d59fc864c16ea8c6dc0149da07b84ade7580de975696ab9de66a9d15b3ff36984328f3b82da1f120a4f8317fa897c105c40af596b2b8212
SSDEEP

12288:EZHhLBWrr9PU8cp3iWVfvrVghgN8w2Sdo2nIe9z6ayYW2:EnAq823iWVrVl1dXnIo+/Yl

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Camscanner_07_12_2023.exe

Resource

win10v2004-20230703-en

remcos remotehost collection persistence rat spyware stealer

windows10-2004-x64

23 signatures

1800 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:55434

127.0.0.1:55433

2.59.255.57:55433

2.59.255.57:55434

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8XYYD1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Camscanner_07_12_2023.exe
- Size
  
  658KB
- MD5
  
  4657839864de2fdebc774c49ce11fceb
- SHA1
  
  446379224b959a8f66cf0b80821841ddeb7c6f64
- SHA256
  
  d9390477af885bc6bf6f0be424afe4055c97dc7c964b4950a9337c61c4a221b2
- SHA512
  
  33d8a5f9173744eb8e8cdb0d03b509d06a5b33e4092f2114dbb72957653a9dd9645f6d7c95622b71ee122a8052a3f03b0069a6a66e8000408f186495f937ab99
- SSDEEP
  
  12288:AY5j14VWjr9dw8qd32WVfDTVgPgN8a2S1oWhIm9zosgwWCW:AYXTs8Y32WVnVtB1PhIwEFwk
Score

10^/10

remcos remotehost collection persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcollectionpersistenceratspywarestealer

© 2018-2025

Terms | Privacy