remcos

General

Target

16573267458.zip
Size

103.4MB
Sample

240411-c3m3ysdc4s
MD5

2fff95aa3a040176b8164474a7b5476f
SHA1

a9fd1efc86de140c6fff51b64581deeb98a494f8
SHA256

3f0e07fc6345cc179b7571de8b9fb2bfee2f9bef92a4ec224b4e034cd49e697f
SHA512

9ba17cde95c39b06a7547f310c0c4d0329cb4dfce00f8ebc83f905a9deb48a1115eb7555fea9ddc5cbbfe69027af20b1bb8646c7af4fec66818130d12c534192
SSDEEP

3145728:V4THTqJkldBUEiVrMJ9aNuHDAiCaJbzour:yT0WdBUEbJ9aEHsiCwbzour

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

flysafemyguy.duckdns.org:4047

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-872KQZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  InstallerAPI.inf
- Size
  
  102.1MB
- MD5
  
  db0521bd7e4b9fc803f9a900212eea02
- SHA1
  
  6c86b49b4c1e3ebcecd5376166bfe3bda6a141fa
- SHA256
  
  e95ce4146e3ffe7d5fde36340c01889f7634d6f91b92fbae1606bef9cb4a7cfb
- SHA512
  
  22d219dac43bd3200e666ef7e554584b0fd43c57c0a6dd7888dc80f71a9b5e73ba48400607205a4f1680af0ccaa197fdb1add05fc7f698e9246fe00a6a49080f
- SSDEEP
  
  3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWpg:M
Score

1^/10
behavioral1 behavioral2
- Target
  
  Tax Organizer.exe
- Size
  
  39KB
- MD5
  
  f1b14f71252de9ac763dbfbfbfc8c2dc
- SHA1
  
  dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
- SHA256
  
  796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
- SHA512
  
  636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
- SSDEEP
  
  768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  g2m.dll
- Size
  
  100.0MB
- MD5
  
  448de2bbd26b3dd436ad590497c36779
- SHA1
  
  595f23c3e5ace472e888bd429107f901cd230d0b
- SHA256
  
  4bcaba254171a6aed68dc2c893207b1f5ad3c2d2a650ff18a4d2d1cd0c7f0ed6
- SHA512
  
  c747a4d02108fb07e5f967b50a912a181e8f9b664f47d22a6ac0ee785144e272c133bfbfea97d61d53396dd42158fb308c5452575a3d01d02ac06d759d52dbb6
- SSDEEP
  
  196608:Mx0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVsv:MxzvfaEog+4rdbUTFVI
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6