remcos | 3a9a4d649cb72b41d0fe035a5d24c0c317463e019ab35fceca0d9a52c988642c | Triage

Submit
Reports

Overview

overview

Static

static

1

3a9a4d649c...2c.cmd

windows7-x64

1

3a9a4d649c...2c.cmd

windows10-2004-x64

Sharing

General

Target

3a9a4d649cb72b41d0fe035a5d24c0c317463e019ab35fceca0d9a52c988642c.cmd
Size

7.4MB
Sample

240324-ckbxzaah5w
MD5

606bc44bc3ce1ab5bec05a295ac81089
SHA1

d95631873a15d6bf4c031ddf70052d438f5dbd83
SHA256

3a9a4d649cb72b41d0fe035a5d24c0c317463e019ab35fceca0d9a52c988642c
SHA512

c234ea302f4c3197436beb8d21955abeb6dedf0e1439cd2330428cf40a7b21e3ef7ecd9a71823d3391b441d0b428a8e86d4606192a91db934bdf7df6982e87d0
SSDEEP

196608:l77777777777777777777777777777777777777777777777777777777777777g:u

Score

10^/10

remcos remotehost collection rat

Static task

static1

Behavioral task

behavioral1

Sample

3a9a4d649cb72b41d0fe035a5d24c0c317463e019ab35fceca0d9a52c988642c.cmd

Resource

win7-20240215-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

3a9a4d649cb72b41d0fe035a5d24c0c317463e019ab35fceca0d9a52c988642c.cmd

Resource

win10v2004-20240226-en

remcos remotehost collection rat

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

91.92.251.30:2025

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-L2QP3G
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  3a9a4d649cb72b41d0fe035a5d24c0c317463e019ab35fceca0d9a52c988642c.cmd
- Size
  
  7.4MB
- MD5
  
  606bc44bc3ce1ab5bec05a295ac81089
- SHA1
  
  d95631873a15d6bf4c031ddf70052d438f5dbd83
- SHA256
  
  3a9a4d649cb72b41d0fe035a5d24c0c317463e019ab35fceca0d9a52c988642c
- SHA512
  
  c234ea302f4c3197436beb8d21955abeb6dedf0e1439cd2330428cf40a7b21e3ef7ecd9a71823d3391b441d0b428a8e86d4606192a91db934bdf7df6982e87d0
- SSDEEP
  
  196608:l77777777777777777777777777777777777777777777777777777777777777g:u
Score

10^/10

remcos remotehost collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosremotehostcollectionrat

© 2018-2024

Terms | Privacy