remcos | 9d5992981fd5538fbea3b82c4c5bc14ddd761ed29cbd1f797200f1e2ca307bb0

General

Target

remcos_a.exe
Size

469KB
Sample

240609-pwh7msbc73
MD5

c2761b75ca1f79d7fc5230f0ed1c403b
SHA1

8c152a273117df047d021b42e65efb907b46104c
SHA256

9d5992981fd5538fbea3b82c4c5bc14ddd761ed29cbd1f797200f1e2ca307bb0
SHA512

a3b4a6bab2194f6b8142e0826d3d753951c10f3cca2cefff384a925a2d3c7106c8b8b4a8f5935d72c6e90e76f9f064bd9137132fc4335af271a151d665d336ef
SSDEEP

12288:omnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSdn9:YiLJbpI7I2WhQqZ7d9

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

hitsdrops.zapto.org:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-76HVQ1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  remcos_a.exe
- Size
  
  469KB
- MD5
  
  c2761b75ca1f79d7fc5230f0ed1c403b
- SHA1
  
  8c152a273117df047d021b42e65efb907b46104c
- SHA256
  
  9d5992981fd5538fbea3b82c4c5bc14ddd761ed29cbd1f797200f1e2ca307bb0
- SHA512
  
  a3b4a6bab2194f6b8142e0826d3d753951c10f3cca2cefff384a925a2d3c7106c8b8b4a8f5935d72c6e90e76f9f064bd9137132fc4335af271a151d665d336ef
- SSDEEP
  
  12288:omnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSdn9:YiLJbpI7I2WhQqZ7d9
Score

9^/10

collection spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2