remcos

General

Target

6c7572f38ec5853112211eb940751b660538d61f67ae8097c8435991768af98f.exe
Size

1.5MB
Sample

240522-vtbyfaac4x
MD5

a01dc98fbbd12e4e5ed0a3aa2ab17621
SHA1

e556895217266e277aeff6bd21c8cf8f151e532a
SHA256

6c7572f38ec5853112211eb940751b660538d61f67ae8097c8435991768af98f
SHA512

36f777efc025eecdb06f5f86fd96a808ac91d949ababbd08ec7dd3560507fcb9aea974e253cd49650b6c35111f0f3fb7b13efc43bc925673e33055e7204ecbbc
SSDEEP

24576:mTD/rj1i8Lf0156tsPlSd+uqp9I1ioX/T9d9YrJFoi7+FxkQBRGprqH0R:M8g0Gd+1BoPTjurEiMxzHGtqi

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Protected

C2

janbours92harbu01.duckdns.org:3980

janbours92harbu01.duckdns.org:3981

janbours92harbu02.duckdns.org:3980

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
kajsoiestc.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
aksoiestgb-1YOAXH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  6c7572f38ec5853112211eb940751b660538d61f67ae8097c8435991768af98f.exe
- Size
  
  1.5MB
- MD5
  
  a01dc98fbbd12e4e5ed0a3aa2ab17621
- SHA1
  
  e556895217266e277aeff6bd21c8cf8f151e532a
- SHA256
  
  6c7572f38ec5853112211eb940751b660538d61f67ae8097c8435991768af98f
- SHA512
  
  36f777efc025eecdb06f5f86fd96a808ac91d949ababbd08ec7dd3560507fcb9aea974e253cd49650b6c35111f0f3fb7b13efc43bc925673e33055e7204ecbbc
- SSDEEP
  
  24576:mTD/rj1i8Lf0156tsPlSd+uqp9I1ioX/T9d9YrJFoi7+FxkQBRGprqH0R:M8g0Gd+1BoPTjurEiMxzHGtqi
Score

10^/10

remcos protected collection evasion execution rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook accounts
  collection
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2