remcos | 6008f20f3c7af36172d3675bc509697226453bb87531e30cf96b11c6ab58d2a3 | Triage

Submit
Reports

Overview

overview

Static

static

3

NEW ORDER ...SA.exe

windows7-x64

NEW ORDER ...SA.exe

windows10-2004-x64

Sharing

General

Target

6d37f9b3dcc6c0ae8da12d65e37ef3b1.bin
Size

859KB
Sample

240408-brjeysce4t
MD5

a1063348e5d3eab469166907d57bf51e
SHA1

a316efdc68159cde7e968567efeed8c896fbe3d1
SHA256

6008f20f3c7af36172d3675bc509697226453bb87531e30cf96b11c6ab58d2a3
SHA512

25a30c0b378a68e7029716903e3cc34976dc443eb7927e4b103322da76d9f56ad2210eba34a5a54689b9e9b6903d65fe1704ba43647691a637ebf6455a68f53c
SSDEEP

24576:qXIQzYdAn5ODzzxWU5D5wyzERyxbQEiR9cuLBSQEIQ:laYYODfxHdz8y1iLcugQy

Score

10^/10

remcos remotehost collection rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NEW ORDER RFQ ICPO TECNOMAT-JEAL-EN590-200KMT-RTDM+TSA.exe

Resource

win7-20240221-en

remcos remotehost collection rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

NEW ORDER RFQ ICPO TECNOMAT-JEAL-EN590-200KMT-RTDM+TSA.exe

Resource

win10v2004-20240226-en

remcos remotehost collection rat spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

paygateme.net:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WTDTSU
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  NEW ORDER RFQ ICPO TECNOMAT-JEAL-EN590-200KMT-RTDM+TSA.bat
- Size
  
  895KB
- MD5
  
  dd172773aa5ec3bc31080bc31fce8a44
- SHA1
  
  5522deb7d315339e0d2b0dd2becb6d501e0dff2b
- SHA256
  
  da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92
- SHA512
  
  37bd970e680cd5e380d5f6044272e37782bd18f0c165af25f8c59b31b9fd29636cd43c2b9cde6bcd154dae0ee33866f3f783bab23aec8472e5db958a0ddaa588
- SSDEEP
  
  24576:UHrWUxQNBIndBEQ/13KSAvkSZ/UosqmTbIecoe:qrWUxQPOgrB8osqq8Zo
Score

10^/10

remcos remotehost collection rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcollectionratspywarestealer

behavioral2

remcosremotehostcollectionratspywarestealer

© 2018-2024

Terms | Privacy