remcos

General

Target

f3050a3a335d79e31e55dcc7da2da1a672593433058cbb3e325dde599cc11b1c.exe
Size

3.6MB
Sample

240502-csxveage65
MD5

cf7bc3c744eedf62ec6452c1ab170b51
SHA1

d1b669631370863da9ac7b01bc3881ff4b506f18
SHA256

f3050a3a335d79e31e55dcc7da2da1a672593433058cbb3e325dde599cc11b1c
SHA512

141ec775ef5676144f8b7470cd08795589e1eb67031ed8235a846013014028747b1a8d0ade054a6b2db200b8d6a30d55d4c651943b4b2471eda5a6ee4a91ed61
SSDEEP

49152:lp98Mq2HVhvxG9I1EBn1SdaVY6kqjpr33J7cXdn7jc7QBip7aF2M2/j8e3KEggFm:lR1h2qaVnkM3eeQY2Fgxt++IY404

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RDEC

C2

64.188.18.137:1604

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VI2QU3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  f3050a3a335d79e31e55dcc7da2da1a672593433058cbb3e325dde599cc11b1c.exe
- Size
  
  3.6MB
- MD5
  
  cf7bc3c744eedf62ec6452c1ab170b51
- SHA1
  
  d1b669631370863da9ac7b01bc3881ff4b506f18
- SHA256
  
  f3050a3a335d79e31e55dcc7da2da1a672593433058cbb3e325dde599cc11b1c
- SHA512
  
  141ec775ef5676144f8b7470cd08795589e1eb67031ed8235a846013014028747b1a8d0ade054a6b2db200b8d6a30d55d4c651943b4b2471eda5a6ee4a91ed61
- SSDEEP
  
  49152:lp98Mq2HVhvxG9I1EBn1SdaVY6kqjpr33J7cXdn7jc7QBip7aF2M2/j8e3KEggFm:lR1h2qaVnkM3eeQY2Fgxt++IY404
Score

10^/10

remcos rdec collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables packed with or use KoiVM
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables built or packed with MPress PE compressor

Detects executables packed with or use KoiVM

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2