remcos | 0e9df52168fbecd2a55c82823d014c4259de65b17f508c7ffdd1f02c2e0bff67 | Triage

Submit
Reports

Overview

overview

Static

static

3

344301a6f7...49.exe

windows7-x64

344301a6f7...49.exe

windows10-2004-x64

Sharing

General

Target

0e9df52168fbecd2a55c82823d014c4259de65b17f508c7ffdd1f02c2e0bff67
Size

931KB
Sample

240417-rtbe5add9s
MD5

8614ec06a3e415b020abf3e84fe4f904
SHA1

6dd7bad8a9f2f6481e170e0ce1b353dac96c535a
SHA256

0e9df52168fbecd2a55c82823d014c4259de65b17f508c7ffdd1f02c2e0bff67
SHA512

592a13318077b64a765a6ac394cb8afe50928cb192931832c22ea09bef9441799335eb440dbb7f6a6b847b861b04cb50aa915418d95c723fda319ed7be43e934
SSDEEP

24576:YkTz35U9LIAli/kvy5I458MMYosU4soaZNoa4:Yk3y98AJanlU4KZyF

Score

10^/10

remcos remotehost collection rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

344301a6f73b73afd98c763519d52548b0ee3a76824d033712ddf3ec0115f549.exe

Resource

win7-20240221-en

remcos remotehost collection rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

344301a6f73b73afd98c763519d52548b0ee3a76824d033712ddf3ec0115f549.exe

Resource

win10v2004-20240412-en

remcos remotehost collection rat spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

paygateme.net:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BDTHCE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  344301a6f73b73afd98c763519d52548b0ee3a76824d033712ddf3ec0115f549.exe
- Size
  
  966KB
- MD5
  
  1291a06a395fb852059a6ceb0e3eeb26
- SHA1
  
  d2817ad9ae07ebac664f4ecc73094847266592fe
- SHA256
  
  344301a6f73b73afd98c763519d52548b0ee3a76824d033712ddf3ec0115f549
- SHA512
  
  2523049d9fd6aaf796a8cef7f452379a9b875bfc047aae0bdf191f2c9eb5cb0825fb2cec2716e86834182d0c1380fd78a396bd31ad7e255d7bdfeebcf47fc21f
- SSDEEP
  
  24576:b1Dxc69WYtZlNj16hhTaQabNSXgOf5clRreL9f73Sz:b9xxrjshhTa1NOslRreL9+
Score

10^/10

remcos remotehost collection rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostcollectionratspywarestealer

behavioral2

remcosremotehostcollectionratspywarestealer

© 2018-2024

Terms | Privacy