remcos

General

Target

16597677064.zip
Size

103.6MB
Sample

240412-b86ltafa7t
MD5

80887942c334380ab50ca66061bc11cd
SHA1

7a97549c1d1855dca197eea3f18fe6c3ede83cb0
SHA256

12ff63af0a27200b512b2fb73d0086cae611b557b4eeb3fb5b630cac9607fb7d
SHA512

6d114eaa0a5361c46522e6360d228f0547d5ebce0f4a81c5d1aa72968a787287dc6ce869fdbfbef030db6f802b54a808cbd1db27cda939899986858e7618994e
SSDEEP

3145728:4vDj1cMsv2D4i1eDSMu94/BUwEwjAlrcZU:4rRsOV1Atud1kAlAZU

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

193.142.146.21:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-24AV61
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  TAX DOCUMENTS 2/1099-MISC.inf
- Size
  
  102.1MB
- MD5
  
  db0521bd7e4b9fc803f9a900212eea02
- SHA1
  
  6c86b49b4c1e3ebcecd5376166bfe3bda6a141fa
- SHA256
  
  e95ce4146e3ffe7d5fde36340c01889f7634d6f91b92fbae1606bef9cb4a7cfb
- SHA512
  
  22d219dac43bd3200e666ef7e554584b0fd43c57c0a6dd7888dc80f71a9b5e73ba48400607205a4f1680af0ccaa197fdb1add05fc7f698e9246fe00a6a49080f
- SSDEEP
  
  3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWpg:M
Score

1^/10
behavioral1 behavioral2
- Target
  
  TAX DOCUMENTS 2/W2_2023.exe
- Size
  
  39KB
- MD5
  
  f1b14f71252de9ac763dbfbfbfc8c2dc
- SHA1
  
  dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
- SHA256
  
  796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
- SHA512
  
  636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
- SSDEEP
  
  768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  TAX DOCUMENTS 2/g2m.dll
- Size
  
  100.0MB
- MD5
  
  fdd7fab01cc9eb7349f24ef1dbd60721
- SHA1
  
  b749ad4a425671627562fba3a956672287ea0ac2
- SHA256
  
  5b56f1de607f06430e1207d3d4cb2f9f353be1958f48c95a55d7ce5fe1535e67
- SHA512
  
  3ccba57756e93c1ca8acc4bdace284831af299b227bc7f3f825bf193acf0bbcc8d3f382c5f497e3d167c42f69e241c3cffc0066851ca078bcc201fa5b56a47fa
- SSDEEP
  
  196608:r8u0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVszp:r8uzvfaEog+4rdbUTFVk
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6