remcos | 916e8104ac98f49c5639ad117f1e778beec15b6cfabdfa102e00fda205d0241c | Triage

Submit
Reports

Overview

overview

Static

static

1

asdasd.html

windows7-x64

asdasd.html

windows10-2004-x64

Sharing

General

Target

asdasd.html
Size

1.8MB
Sample

240423-fc6ddsdb9t
MD5

cb2670db598dc2a02b24d4d5d61438db
SHA1

50efd6135dfdc8d012c29821c403ad44b15c9bfc
SHA256

916e8104ac98f49c5639ad117f1e778beec15b6cfabdfa102e00fda205d0241c
SHA512

ae1696930dbd1616e6f6d143f0fe6ac12b6e6eb0e16f103ed1358d57f0b4aa7a69764062585d7dae6d21674e18c66a8a94d0c58c43b55c48b6b8c944f1e34a38
SSDEEP

768:f9rfcB8AGy9eGe2ujmLOOuWqQJHsVNrh8a+HQeOnAj0BqgpMSw:s8AGoeGe2TLSWbJHsVNrhR3u0Bhm

Score

10^/10

remcos feb2024 collection persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

asdasd.html

Resource

win7-20240221-en

remcos feb2024 collection persistence rat spyware stealer

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

asdasd.html

Resource

win10v2004-20240412-en

remcos feb2024 collection persistence rat spyware stealer

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

FEB2024

C2

45.144.214.27:8973

45.144.214.27:8974

plunder.jumpingcrab.com:8973

rem.webredirect.org:8973

rem.webredirect.org:8974

plunder.dedyn.io:8974

plunder.dedyn.io:8973

plunder.jumpingcrab.com:8974

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
DFG
mouse_option
false
mutex
DFN34-K1WBCP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  asdasd.html
- Size
  
  1.8MB
- MD5
  
  cb2670db598dc2a02b24d4d5d61438db
- SHA1
  
  50efd6135dfdc8d012c29821c403ad44b15c9bfc
- SHA256
  
  916e8104ac98f49c5639ad117f1e778beec15b6cfabdfa102e00fda205d0241c
- SHA512
  
  ae1696930dbd1616e6f6d143f0fe6ac12b6e6eb0e16f103ed1358d57f0b4aa7a69764062585d7dae6d21674e18c66a8a94d0c58c43b55c48b6b8c944f1e34a38
- SSDEEP
  
  768:f9rfcB8AGy9eGe2ujmLOOuWqQJHsVNrh8a+HQeOnAj0BqgpMSw:s8AGoeGe2TLSWbJHsVNrhR3u0Bhm
Score

10^/10

remcos feb2024 collection persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosfeb2024collectionpersistenceratspywarestealer

behavioral2

remcosfeb2024collectionpersistenceratspywarestealer

© 2018-2024

Terms | Privacy