remcos

General

Target

52b32ac1009f5633f0dee6a2305af7ccdf99c726c4757fa2bca6a0ea212d720f.xlsx
Size

49KB
Sample

240319-cthf4sff2t
MD5

fef0c51aa0af0361b8dec099ed5bafa1
SHA1

94ca3c3802f4d2c28f9ef911821efae63d1d9d33
SHA256

52b32ac1009f5633f0dee6a2305af7ccdf99c726c4757fa2bca6a0ea212d720f
SHA512

53a37c375f74b77da1d77dec9183a204d47b9962ad7c03cfebe8d0a9479b8badf17d24c8a8d2346824f7d63d51a42d09a729af2ebc604197e77946c0d99744e3
SSDEEP

768:yXyBP0/kns9iP95hIlMURQIksJW9TUCV96sIbGLRtdN+/fIFagZHTB6p:yX68/ks9iP9TILWIhJWmFCVjWfIIqTB

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

grinbush.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XSGZ1O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  52b32ac1009f5633f0dee6a2305af7ccdf99c726c4757fa2bca6a0ea212d720f.xlsx
- Size
  
  49KB
- MD5
  
  fef0c51aa0af0361b8dec099ed5bafa1
- SHA1
  
  94ca3c3802f4d2c28f9ef911821efae63d1d9d33
- SHA256
  
  52b32ac1009f5633f0dee6a2305af7ccdf99c726c4757fa2bca6a0ea212d720f
- SHA512
  
  53a37c375f74b77da1d77dec9183a204d47b9962ad7c03cfebe8d0a9479b8badf17d24c8a8d2346824f7d63d51a42d09a729af2ebc604197e77946c0d99744e3
- SSDEEP
  
  768:yXyBP0/kns9iP95hIlMURQIksJW9TUCV96sIbGLRtdN+/fIFagZHTB6p:yX68/ks9iP9TILWIhJWmFCVjWfIIqTB
Score

10^/10

remcos remotehost collection persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Abuses OpenXML format to download file from external location
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2