remcos

General

Target

b27ccf7bb556e1f332c8feb3a12f6f3c4b0ba949c059cdc3a1bdd416fb87921e.exe
Size

1.3MB
Sample

240523-ccmdqshg23
MD5

60561cff1dee1f6bab79d28ab8a84dc3
SHA1

abd6f2841675755c088b4d70dee090225caa73db
SHA256

b27ccf7bb556e1f332c8feb3a12f6f3c4b0ba949c059cdc3a1bdd416fb87921e
SHA512

ab073292660e415fbc8181fe7fefb83c3cdb92531fd4812742f7143dc31a75f1ab8b0e72279d02ffef137956502aa5c13a8e78ed1894ffd648de74b11c946fff
SSDEEP

24576:4Mbni723L73/gXFxoYXpmTvCkV0uf5ZmH1OvAwP0Cwbn:43a3L73ou7vCkCua1RwML

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

104.250.180.178:7902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Microsoft .exe
copy_folder
Microsoft
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Microsoft -QUCX7D
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b27ccf7bb556e1f332c8feb3a12f6f3c4b0ba949c059cdc3a1bdd416fb87921e.exe
- Size
  
  1.3MB
- MD5
  
  60561cff1dee1f6bab79d28ab8a84dc3
- SHA1
  
  abd6f2841675755c088b4d70dee090225caa73db
- SHA256
  
  b27ccf7bb556e1f332c8feb3a12f6f3c4b0ba949c059cdc3a1bdd416fb87921e
- SHA512
  
  ab073292660e415fbc8181fe7fefb83c3cdb92531fd4812742f7143dc31a75f1ab8b0e72279d02ffef137956502aa5c13a8e78ed1894ffd648de74b11c946fff
- SSDEEP
  
  24576:4Mbni723L73/gXFxoYXpmTvCkV0uf5ZmH1OvAwP0Cwbn:43a3L73ou7vCkCua1RwML
Score

10^/10

remcos remotehost collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables built or packed with MPress PE compressor

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2