remcos | 7038b1250cc9380861d92e721d364cb844459f87ecc3fe002b59e97d35926dfa | Triage

Submit
Reports

Overview

overview

Static

static

3

RFQ NO- S7...ER.exe

windows7-x64

RFQ NO- S7...ER.exe

windows10-2004-x64

Sharing

General

Target

RFQ NO- S70-23Q-147400000789975DXT-CS-P-0730RDER.bat
Size

899KB
Sample

240416-jg4l5sed4z
MD5

817fca5933074f2986f443434eb861ad
SHA1

25824f6d451f727d5dddc8d64bc6a37f1d99ab1b
SHA256

7038b1250cc9380861d92e721d364cb844459f87ecc3fe002b59e97d35926dfa
SHA512

642266711556432953c69f6422785aad79d0e38d5c405efea4e9b79cfea35e648bed9059c6430bd8a34e59f3dd4389de37b1e1aa130c00557baf54e8f8ca8fc7
SSDEEP

24576:QQxpv7BpjHfIhWvtLp3UevtyA6Qk5aX7:rpv7b/IkttUyyo

Score

10^/10

remcos remotehost collection rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

RFQ NO- S70-23Q-147400000789975DXT-CS-P-0730RDER.exe

Resource

win7-20240221-en

remcos remotehost collection rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ NO- S70-23Q-147400000789975DXT-CS-P-0730RDER.exe

Resource

win10v2004-20240412-en

remcos remotehost collection rat spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

paygateme.net:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WTDTSU
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  RFQ NO- S70-23Q-147400000789975DXT-CS-P-0730RDER.bat
- Size
  
  899KB
- MD5
  
  817fca5933074f2986f443434eb861ad
- SHA1
  
  25824f6d451f727d5dddc8d64bc6a37f1d99ab1b
- SHA256
  
  7038b1250cc9380861d92e721d364cb844459f87ecc3fe002b59e97d35926dfa
- SHA512
  
  642266711556432953c69f6422785aad79d0e38d5c405efea4e9b79cfea35e648bed9059c6430bd8a34e59f3dd4389de37b1e1aa130c00557baf54e8f8ca8fc7
- SSDEEP
  
  24576:QQxpv7BpjHfIhWvtLp3UevtyA6Qk5aX7:rpv7b/IkttUyyo
Score

10^/10

remcos remotehost collection rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcollectionratspywarestealer

behavioral2

remcosremotehostcollectionratspywarestealer

© 2018-2024

Terms | Privacy