remcos

General

Target

234887d5171b1fc8f3c4c4ac9ed54679adeadf5e8b488f791f90c8c3dca8d2f9
Size

215KB
Sample

240417-rzwm9adh2v
MD5

b0978be8143512af304f938060c2324a
SHA1

b73395e3130bf22f0b0ef22e15036ab299f12680
SHA256

234887d5171b1fc8f3c4c4ac9ed54679adeadf5e8b488f791f90c8c3dca8d2f9
SHA512

8ed5f8416f7dad4399044b937c6797f6e43ee7750f27b8a0d584584f8cb582c002e7627db024db47fba702b95a4ef51ba083b9d837ce85cf34674501969b7305
SSDEEP

6144:VcURc5IVkXGXuBfaPxc3sH3uxutEtAqFewoBZebDDn:Vc15IVkXGXR23uoAvnGr

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

richard6474646

C2

money001.duckdns.org:9596

salwanazeeze.duckdns.org:9595

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
windows.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UMF99C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
- Size
  
  233KB
- MD5
  
  c8b5bcc79120a06f16b69bcef71324ac
- SHA1
  
  75acf6d77851efc30a181ad9a78334b7c272705a
- SHA256
  
  de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252
- SHA512
  
  e8e842e78ae6ae6a395a3c30f2ae043fc33762d0ac13df6ad333dbf1c28345ca79c7c5af5f9a33e134c13db9368a4b65a3a229c3189608b05e02402632bd5a7c
- SSDEEP
  
  6144:tmvl3n8iOiB4RBucKa3h80tK2gBWvADGGw6j1:8vlX8i8RB5JvADGGnj
Score

10^/10

remcos richard6474646 collection rat spyware stealer upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Reads user/profile data of web browsers

UPX packed file

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2