remcos | 41964d85b45d11c69b10dbf7b4f374fed97696bed426bcd3636574ba4633e8f5 | Triage

Submit
Reports

Overview

overview

Static

static

3

48ec7a51c1...cs.exe

windows7-x64

48ec7a51c1...cs.exe

windows10-2004-x64

Sharing

General

Target

48ec7a51c17cd3b0da165ea7e1f098b0_NeikiAnalytics.exe
Size

434KB
Sample

240523-d9dnjacg93
MD5

48ec7a51c17cd3b0da165ea7e1f098b0
SHA1

cef6b08aa8b45e626867be70205cd3d8d351c50f
SHA256

41964d85b45d11c69b10dbf7b4f374fed97696bed426bcd3636574ba4633e8f5
SHA512

827cf01469aaa9bf1eef2f73e86ecb71dd121546f441b25b5befc85635f51cf00c597c3fe2ad98375282a67b9b5453c1cf3e1ea9994fb46c8df76cf1992ba92b
SSDEEP

6144:d2FZs5e01wNtOvb5pkXuhSJzAPSkojvm/ZRS/DR79ez5qycfDJheh8GfwXzQ6Gx:d2FZQe01YqboNFO/ZRaN79KDc234DQ6

Score

10^/10

remcos remotehost collection rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

48ec7a51c17cd3b0da165ea7e1f098b0_NeikiAnalytics.exe

Resource

win7-20240419-en

remcos remotehost collection rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

48ec7a51c17cd3b0da165ea7e1f098b0_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

remcos remotehost collection rat spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KDW6BI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  48ec7a51c17cd3b0da165ea7e1f098b0_NeikiAnalytics.exe
- Size
  
  434KB
- MD5
  
  48ec7a51c17cd3b0da165ea7e1f098b0
- SHA1
  
  cef6b08aa8b45e626867be70205cd3d8d351c50f
- SHA256
  
  41964d85b45d11c69b10dbf7b4f374fed97696bed426bcd3636574ba4633e8f5
- SHA512
  
  827cf01469aaa9bf1eef2f73e86ecb71dd121546f441b25b5befc85635f51cf00c597c3fe2ad98375282a67b9b5453c1cf3e1ea9994fb46c8df76cf1992ba92b
- SSDEEP
  
  6144:d2FZs5e01wNtOvb5pkXuhSJzAPSkojvm/ZRS/DR79ez5qycfDJheh8GfwXzQ6Gx:d2FZQe01YqboNFO/ZRaN79KDc234DQ6
Score

10^/10

remcos remotehost collection rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostcollectionratspywarestealer

behavioral2

remcosremotehostcollectionratspywarestealer

© 2018-2024

Terms | Privacy