remcos | 74b7cbd3c66d01a6e25ccbe17375138c6a32699c61bf170e18ffecd6ebd55237 | Triage

Submit
Reports

Overview

overview

Static

static

1

96bd8f3d1b...b5.rtf

windows7-x64

96bd8f3d1b...b5.rtf

windows10-2004-x64

1

Sharing

General

Target

96bd8f3d1b8badd184f3b8de29a26ab5.rtf
Size

73KB
Sample

240416-t1cymsgd9z
MD5

96bd8f3d1b8badd184f3b8de29a26ab5
SHA1

5bbf4c72f5d2adc0348ac73cc1f70608dd1d554b
SHA256

74b7cbd3c66d01a6e25ccbe17375138c6a32699c61bf170e18ffecd6ebd55237
SHA512

dd8d1208f1954b24f5d2becfafa0ae27824a449486e946e6500a04c23c671a2ebb633b4c6808881003164aec027bd40801093d2b82e8e70f82408be5a2929847
SSDEEP

768:pAkZM0MJPzLsiO293TlJwfhlP528HODEmG0leH18pjHFhV6xjSiUv3TknfBbEGfF:6kZPMhEE2hpfHcEmxleShF2oPIfBbT

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

96bd8f3d1b8badd184f3b8de29a26ab5.rtf

Resource

win7-20231129-en

remcos remotehost collection persistence rat spyware stealer

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

96bd8f3d1b8badd184f3b8de29a26ab5.rtf

Resource

win10v2004-20240412-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ezege.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-IVESQI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  96bd8f3d1b8badd184f3b8de29a26ab5.rtf
- Size
  
  73KB
- MD5
  
  96bd8f3d1b8badd184f3b8de29a26ab5
- SHA1
  
  5bbf4c72f5d2adc0348ac73cc1f70608dd1d554b
- SHA256
  
  74b7cbd3c66d01a6e25ccbe17375138c6a32699c61bf170e18ffecd6ebd55237
- SHA512
  
  dd8d1208f1954b24f5d2becfafa0ae27824a449486e946e6500a04c23c671a2ebb633b4c6808881003164aec027bd40801093d2b82e8e70f82408be5a2929847
- SSDEEP
  
  768:pAkZM0MJPzLsiO293TlJwfhlP528HODEmG0leH18pjHFhV6xjSiUv3TknfBbEGfF:6kZPMhEE2hpfHcEmxleShF2oPIfBbT
Score

10^/10

remcos remotehost collection persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostcollectionpersistenceratspywarestealer

behavioral2

© 2018-2024

Terms | Privacy