remcos

General

Target

0261fed357c70402ceff41bb9a99864ccde4e974df81f45aa9fbbc2396baf083
Size

670KB
Sample

240329-vrwj3adc6s
MD5

7435178510834691047d363934de1a4c
SHA1

da1bf2234fcd6621cf10b82387a78a5e13a13dce
SHA256

0261fed357c70402ceff41bb9a99864ccde4e974df81f45aa9fbbc2396baf083
SHA512

ce09fb228ade6b98fc74c65754e6dc2efa594f3e263d652299ba5887e6ae3859c80899e9b586828733eb817682a321910a95ce0676a1bf5c33f0968ed2812c05
SSDEEP

12288:Vpwiapd/PNMdUhTvaqOyXTzGtdMV6SaHFCy/9mKLE+389unzu:VaetdMV6oR5B6u

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Special

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
lonjoup.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
lpereits-FZGND0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0261fed357c70402ceff41bb9a99864ccde4e974df81f45aa9fbbc2396baf083
- Size
  
  670KB
- MD5
  
  7435178510834691047d363934de1a4c
- SHA1
  
  da1bf2234fcd6621cf10b82387a78a5e13a13dce
- SHA256
  
  0261fed357c70402ceff41bb9a99864ccde4e974df81f45aa9fbbc2396baf083
- SHA512
  
  ce09fb228ade6b98fc74c65754e6dc2efa594f3e263d652299ba5887e6ae3859c80899e9b586828733eb817682a321910a95ce0676a1bf5c33f0968ed2812c05
- SSDEEP
  
  12288:Vpwiapd/PNMdUhTvaqOyXTzGtdMV6SaHFCy/9mKLE+389unzu:VaetdMV6oR5B6u
Score

10^/10

remcos special persistence rat collection
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Caperer53.Lef45
- Size
  
  57KB
- MD5
  
  739a420735daf9c434c756c1984e3d54
- SHA1
  
  0825b86f5e7248cd72f0d58bde9408d8e011dc25
- SHA256
  
  66ccb889a20846680fe0ed722f96e1d518a3f87c9ddcff10a03a73ee9bc28bce
- SHA512
  
  54f6ec87d9311e57c0faf9476682239299d3f36269e715bf875d0fc1007318382e993b03b247d0fd235bc69cff0a7f4f841af10f0023abe540df076838efaeb3
- SSDEEP
  
  1536:aJ7i6VB/mes3JScK+kV695oz15T7rX/Z/D+uK:aJ79VZmeGNVv27rX/MV
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4