remcos

General

Target

ce780b54c89a5fe2c0fe7fa6ff246b00ca4e15ee84b80c4d6730f30f345912ed_dump.exe
Size

483KB
Sample

240530-lxrnmade8x
MD5

dfed304d49603949b72a9840e46b4cab
SHA1

f872be1c08a60df4a4d2ae7e4ef9d6ef30b5e308
SHA256

fe90e7a7d24d0a6185c652cd88dabd4126000d71d5b1009c8b6aa6ab5eeb6ebd
SHA512

80cd04e477b4295f46094a3fd71a9c29647c1fa4429a353b829e9615394d23047ddf6826d5b74672168651b3aa4ccd5ea7faead8ea591c5639276063895d58de
SSDEEP

6144:mXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNW5Gv:mX7tPMK8ctGe4Dzl4h2QnuPs/ZDPcv

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:46517

127.0.0.1:55767

mypersonrem.duckdns.org:46517

mypersonrem.duckdns.org:55767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6IQ6YR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  ce780b54c89a5fe2c0fe7fa6ff246b00ca4e15ee84b80c4d6730f30f345912ed_dump.exe
- Size
  
  483KB
- MD5
  
  dfed304d49603949b72a9840e46b4cab
- SHA1
  
  f872be1c08a60df4a4d2ae7e4ef9d6ef30b5e308
- SHA256
  
  fe90e7a7d24d0a6185c652cd88dabd4126000d71d5b1009c8b6aa6ab5eeb6ebd
- SHA512
  
  80cd04e477b4295f46094a3fd71a9c29647c1fa4429a353b829e9615394d23047ddf6826d5b74672168651b3aa4ccd5ea7faead8ea591c5639276063895d58de
- SSDEEP
  
  6144:mXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNW5Gv:mX7tPMK8ctGe4Dzl4h2QnuPs/ZDPcv
Score

10^/10

collection spyware stealer remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2