remcos

General

Target

aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf
Size

70KB
Sample

240316-c6x3bsab3t
MD5

cae8bb9d33e2340998ba5f75ad37f803
SHA1

75e142060680509acade4921ea417e1d438a34fd
SHA256

aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030
SHA512

5b5ba31eef6383798733fcb5bbbbe0b28a35b8962207b8a08c494aa18ce48cf4f296af18299b8ddff51b7d6eb07d4864b3ddf4f95bebc8c76959f8ba1e0f8d98
SSDEEP

1536:z8dfmjJH0y/OSefByvp/9/7otRf9rdO5WeIGLTlGrzYNY:z8dfW0yvDToXf9rd2WeI0RGYNY

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.172.31.178:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NVSJ5U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf
- Size
  
  70KB
- MD5
  
  cae8bb9d33e2340998ba5f75ad37f803
- SHA1
  
  75e142060680509acade4921ea417e1d438a34fd
- SHA256
  
  aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030
- SHA512
  
  5b5ba31eef6383798733fcb5bbbbe0b28a35b8962207b8a08c494aa18ce48cf4f296af18299b8ddff51b7d6eb07d4864b3ddf4f95bebc8c76959f8ba1e0f8d98
- SSDEEP
  
  1536:z8dfmjJH0y/OSefByvp/9/7otRf9rdO5WeIGLTlGrzYNY:z8dfW0yvDToXf9rd2WeI0RGYNY
Score

10^/10

remcos remotehost collection persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2