remcos | c2be545ffaaebb2cccc7a218dd89398b3f560ba0ba60dd7a6a761d71272752c4

General

Target

c2be545ffaaebb2cccc7a218dd89398b3f560ba0ba60dd7a6a761d71272752c4.exe
Size

483KB
Sample

240629-b5wx7syalg
MD5

0cb87c0084a98eda411343dd73ce15bf
SHA1

4fa64426175b713f3a9649958a861979944c8883
SHA256

c2be545ffaaebb2cccc7a218dd89398b3f560ba0ba60dd7a6a761d71272752c4
SHA512

97a83ce3a2d5440bbb02f6222ddc5bb1e1597cb22ceec45da2063f11c8f993e1026d89b822c0a6f7e843a2da2821c3ef9e24f06f447acb7cf0537ad64fd48143
SSDEEP

6144:XXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcNg5Gv:XX7tPMK8ctGe4Dzl4h2QnuPs/Z5pcv

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

mever.duckdns.org:38157

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
lgs
mouse_option
false
mutex
Rmc-GY4TI4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  c2be545ffaaebb2cccc7a218dd89398b3f560ba0ba60dd7a6a761d71272752c4.exe
- Size
  
  483KB
- MD5
  
  0cb87c0084a98eda411343dd73ce15bf
- SHA1
  
  4fa64426175b713f3a9649958a861979944c8883
- SHA256
  
  c2be545ffaaebb2cccc7a218dd89398b3f560ba0ba60dd7a6a761d71272752c4
- SHA512
  
  97a83ce3a2d5440bbb02f6222ddc5bb1e1597cb22ceec45da2063f11c8f993e1026d89b822c0a6f7e843a2da2821c3ef9e24f06f447acb7cf0537ad64fd48143
- SSDEEP
  
  6144:XXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcNg5Gv:XX7tPMK8ctGe4Dzl4h2QnuPs/Z5pcv
Score

9^/10

collection spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2