remcos | e9e3b4a2ddf339aa09a48684593ad439640432f56b1e3c6cf0f2b41fcac9aef2 | Triage

Submit
Reports

Overview

overview

Static

static

3

Geron Stee...25.exe

windows7-x64

Geron Stee...25.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

Geron Steel-Order-79376- Contract 2025.7z
Size

122KB
Sample

240803-hrha8awdnm
MD5

0071055f3114b9bf873f890d34179759
SHA1

852b3e65073fd44dcc69ae70617a372a66d04b1a
SHA256

e9e3b4a2ddf339aa09a48684593ad439640432f56b1e3c6cf0f2b41fcac9aef2
SHA512

344b38c4c58acd89732264c66e1d9b1682fd75d9afd81d90bea6869b7e7ff540040c3c73c4ea5b0b9847413aeca1ba588cf6cbb4a407c4be52c6b9184df3cc4b
SSDEEP

3072:1h0mPoyeApSuOBoCUTdYg3QFzthPjo9lyfZzZ+4DNIp:OAXXCUTdd3QuyfFu

Score

10^/10

remcos fresh collection credential_access discovery rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Geron Steel-Order-79376- Contract 2025.exe

Resource

win7-20240708-en

remcos fresh collection credential_access discovery rat stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

Geron Steel-Order-79376- Contract 2025.exe

Resource

win10v2004-20240802-en

remcos fresh collection credential_access discovery rat stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

taysour6lakut1.duckdns.org:1960

taysour6lakut1.duckdns.org:1961

taysour6lakut2.duckdns.org:1960

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
mzpos.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
kmgvboirfg-VIHET7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Geron Steel-Order-79376- Contract 2025.exe
- Size
  
  122KB
- MD5
  
  259de4d35dd0423eb6e2d45909c6ea01
- SHA1
  
  d402a26707c43815d1f8668430b22cf9b1fdf370
- SHA256
  
  f3258b7f18cf2b576d36f0f7c8c5b762b1f77170bc2837378d99013dd7177b8b
- SHA512
  
  bec647640bb711978c663f1a5b5de7985dfa3bc4c91c6bbfb21ca970a139bb68f09c58b890724ffe776b607a69ce10c5e34531c7cda884cb2d215337fe8a61dc
- SSDEEP
  
  3072:mh0mPoyeApSuOBoCUTdYg3QFzthPjo9lyfZzZ+4DN:3AXXCUTdd3QuyfF
Score

10^/10

remcos fresh collection credential_access discovery rat stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosfreshcollectioncredential_accessdiscoveryratstealer

behavioral2

remcosfreshcollectioncredential_accessdiscoveryratstealer

© 2018-2025

Terms | Privacy