remcos

General

Target

ad4c85f8557f27d634c576983d359095dba4fd7a7f2e614ec6615109d106ce9e
Size

993KB
Sample

240418-bn2r5agb9s
MD5

1d8293e3afb0f662daa9cb98f261b242
SHA1

fc360154f0ecf671a51cc98477b784cb8931957f
SHA256

ad4c85f8557f27d634c576983d359095dba4fd7a7f2e614ec6615109d106ce9e
SHA512

be20420bc2ea105d67e7564485f3a29266091eafa7904e3bd2e1552eea98be19a44a78974c1d0a4d4bc9c33e1ef04cde1752941712e8350ff65914c60d1ad495
SSDEEP

24576:vym/SbQP4ZuM15cTGdwAXImx0cvlG6kNGgGXAe7ZtVx:vy6SbQP4ZuMcpYIwv7kAweTVx

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

176.31.142.221:7769

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QLWO0M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  ad4c85f8557f27d634c576983d359095dba4fd7a7f2e614ec6615109d106ce9e
- Size
  
  993KB
- MD5
  
  1d8293e3afb0f662daa9cb98f261b242
- SHA1
  
  fc360154f0ecf671a51cc98477b784cb8931957f
- SHA256
  
  ad4c85f8557f27d634c576983d359095dba4fd7a7f2e614ec6615109d106ce9e
- SHA512
  
  be20420bc2ea105d67e7564485f3a29266091eafa7904e3bd2e1552eea98be19a44a78974c1d0a4d4bc9c33e1ef04cde1752941712e8350ff65914c60d1ad495
- SSDEEP
  
  24576:vym/SbQP4ZuM15cTGdwAXImx0cvlG6kNGgGXAe7ZtVx:vy6SbQP4ZuMcpYIwv7kAweTVx
Score

10^/10

remcos remotehost collection rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables packed with SmartAssembly
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2