remcos

General

Target

61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe
Size

1.3MB
Sample

240524-bq89zsga7y
MD5

a55159c7edc073d452e4fef92d247997
SHA1

d239b25b2a33a64134f11d2d2ac5c7a89e186a29
SHA256

61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d
SHA512

5189f51ce0f90a71e86e53ea23d564d796536c45db8c8f4a11e75947bb4fc0d2489c83899e4a8e8b81504007ccad7a05dc8ac02b0d47a52ea565396a27c5e8b3
SSDEEP

24576:AP+g7Wy3xfMZKdcKtTjbJ4jEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbIEEEEEEEEEEEEEEEEEEEE+

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

FmGlobal

C2

royaldachpharmacy.duckdns.org:6395

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
services.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GRT17F
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe
- Size
  
  1.3MB
- MD5
  
  a55159c7edc073d452e4fef92d247997
- SHA1
  
  d239b25b2a33a64134f11d2d2ac5c7a89e186a29
- SHA256
  
  61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d
- SHA512
  
  5189f51ce0f90a71e86e53ea23d564d796536c45db8c8f4a11e75947bb4fc0d2489c83899e4a8e8b81504007ccad7a05dc8ac02b0d47a52ea565396a27c5e8b3
- SSDEEP
  
  24576:AP+g7Wy3xfMZKdcKtTjbJ4jEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbIEEEEEEEEEEEEEEEEEEEE+
Score

10^/10

remcos fmglobal collection persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2