remcos

General

Target

a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe
Size

483KB
Sample

240405-b1nq2ahc99
MD5

c16b61d355597e973962354a54d9105a
SHA1

418f9f2d76cc53b40f6f7321f93bff947af7a699
SHA256

a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8
SHA512

9e4ede43e4cce4a0312cb52a795bf04bf75b7f5c8dfd837f47d86968db11febc92434d1aa71d88e785d3e99e12a99d997ce0edc9061fe2b380f82d03f7c7071e
SSDEEP

6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNH5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDicv

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

jansuri.kozow.com:7232

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3XBWOL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8.exe
- Size
  
  483KB
- MD5
  
  c16b61d355597e973962354a54d9105a
- SHA1
  
  418f9f2d76cc53b40f6f7321f93bff947af7a699
- SHA256
  
  a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8
- SHA512
  
  9e4ede43e4cce4a0312cb52a795bf04bf75b7f5c8dfd837f47d86968db11febc92434d1aa71d88e785d3e99e12a99d997ce0edc9061fe2b380f82d03f7c7071e
- SSDEEP
  
  6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNH5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDicv
Score

10^/10

remcos remotehost collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables built or packed with MPress PE compressor

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2