remcos

General

Target

b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55.exe
Size

826KB
Sample

240528-bwzyhaag83
MD5

87aca91fc9b0ce5a4bc495b90133319e
SHA1

c51e9b32b39ab0bdc06055eaef3b38fc789844eb
SHA256

b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55
SHA512

a82ca6603265b8f31f0c4f478ff57cdff8bf9abc372653433b8090ecb3be9cbfc002cec3c6f0af7c3395a379fa7370608d6aa8ae45bc6e388446f7e81376fb28
SSDEEP

24576:oBXu9HGaVHwqf4Xabh4SqgjBKgBRlWbAL:ow9VHwqf4WeSxdKA

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

91.92.249.107:85

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PZE93C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55.exe
- Size
  
  826KB
- MD5
  
  87aca91fc9b0ce5a4bc495b90133319e
- SHA1
  
  c51e9b32b39ab0bdc06055eaef3b38fc789844eb
- SHA256
  
  b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55
- SHA512
  
  a82ca6603265b8f31f0c4f478ff57cdff8bf9abc372653433b8090ecb3be9cbfc002cec3c6f0af7c3395a379fa7370608d6aa8ae45bc6e388446f7e81376fb28
- SSDEEP
  
  24576:oBXu9HGaVHwqf4Xabh4SqgjBKgBRlWbAL:ow9VHwqf4WeSxdKA
Score

10^/10

remcos remotehost collection rat upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- UPX dump on OEP (original entry point)
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables built or packed with MPress PE compressor

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

UPX dump on OEP (original entry point)

UPX packed file

Accesses Microsoft Outlook accounts

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2