remcos

General

Target

newbuttersmoothreversethings.tiff
Size

178KB
Sample

240826-lvqnjsyhjj
MD5

93857bd5c5e192f479e7051139df21fa
SHA1

7747a35042e6c7eff5919def4596a13d072e0075
SHA256

326db3240e33e0b88cfdb88209e0a13ae340e98d81a2d7caabca5bbb8ddba1ca
SHA512

111f2ccc0a94f1ff8ec3c6b73f160d080bc17cc4aac975ed7d8c883a73c7bccaef93bece25cb1f7583104f900eb18ecd8f6e4bed9932b69fe1746b9d6983ded5
SSDEEP

3072:JxJKdhHVR3mxTsZTgt5p9GwjdDPCLZ+zDpMlrtpk8tiG:JxJ8VxmFXzDelxpttiG

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.90.89.98:8243

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
loat
keylog_path
%Temp%
mouse_option
false
mutex
Rmc-O0U3JA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  newbuttersmoothreversethings.tiff
- Size
  
  178KB
- MD5
  
  93857bd5c5e192f479e7051139df21fa
- SHA1
  
  7747a35042e6c7eff5919def4596a13d072e0075
- SHA256
  
  326db3240e33e0b88cfdb88209e0a13ae340e98d81a2d7caabca5bbb8ddba1ca
- SHA512
  
  111f2ccc0a94f1ff8ec3c6b73f160d080bc17cc4aac975ed7d8c883a73c7bccaef93bece25cb1f7583104f900eb18ecd8f6e4bed9932b69fe1746b9d6983ded5
- SSDEEP
  
  3072:JxJKdhHVR3mxTsZTgt5p9GwjdDPCLZ+zDpMlrtpk8tiG:JxJ8VxmFXzDelxpttiG
Score

10^/10

execution remcos remotehost collection credential_access discovery rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2