remcos

General

Target

68320a706dc4655035ad76142783a4d4a3724e0bd79262dac29cced5bbc0f077.exe
Size

483KB
Sample

240521-bn8knsde36
MD5

2decc2e45682d4d0ebb556e18bc519d2
SHA1

0f20f266f2628a69f95f43de8ea273448cebacfe
SHA256

68320a706dc4655035ad76142783a4d4a3724e0bd79262dac29cced5bbc0f077
SHA512

ad9e80878e353a74c25a8cb91464f6b41b79bb8b26f0cb6dd99e82fc82deea3655f28a86c39c2d9b7590086883fd5229eb48062a12ae3328ffb552e79a189691
SSDEEP

6144:6XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNS5Gv:6X7tPMK8ctGe4Dzl4h2QnuPs/ZDbcv

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

New

C2

manxzas12.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-H8QJD6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  68320a706dc4655035ad76142783a4d4a3724e0bd79262dac29cced5bbc0f077.exe
- Size
  
  483KB
- MD5
  
  2decc2e45682d4d0ebb556e18bc519d2
- SHA1
  
  0f20f266f2628a69f95f43de8ea273448cebacfe
- SHA256
  
  68320a706dc4655035ad76142783a4d4a3724e0bd79262dac29cced5bbc0f077
- SHA512
  
  ad9e80878e353a74c25a8cb91464f6b41b79bb8b26f0cb6dd99e82fc82deea3655f28a86c39c2d9b7590086883fd5229eb48062a12ae3328ffb552e79a189691
- SSDEEP
  
  6144:6XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNS5Gv:6X7tPMK8ctGe4Dzl4h2QnuPs/ZDbcv
Score

10^/10

collection spyware stealer remcos new rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables built or packed with MPress PE compressor

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2