remcos

General

Target

thrylPXnvfySmGN.exe
Size

928KB
Sample

240827-t7ncyssdqm
MD5

04d4d4d83e1601d220f83f09ae16cd79
SHA1

4f0a7d8060399a7ae5029690bdee2bf3b2e3e395
SHA256

86b19710e100964d95cfa01201152d4e73f1297f7286207feeb01cdb7e55efc8
SHA512

87747374bd1c72c9d33d2af9e7456617c95e6c100788f16123bf15cb1c6748a13ad1ac9b5a967553fdf668ea226033a741c08f45febc2130a7e50ccabe69333c
SSDEEP

24576:bhdtlx9EP2aKUQ6/FfCH1bGl4rg5YWNexNBpqod:bhdrY+aPQiFgDWcxNzqi

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

AUG 26

C2

sungito2.ddns.net:6509

154.216.19.222:5532

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LXAZN2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  thrylPXnvfySmGN.exe
- Size
  
  928KB
- MD5
  
  04d4d4d83e1601d220f83f09ae16cd79
- SHA1
  
  4f0a7d8060399a7ae5029690bdee2bf3b2e3e395
- SHA256
  
  86b19710e100964d95cfa01201152d4e73f1297f7286207feeb01cdb7e55efc8
- SHA512
  
  87747374bd1c72c9d33d2af9e7456617c95e6c100788f16123bf15cb1c6748a13ad1ac9b5a967553fdf668ea226033a741c08f45febc2130a7e50ccabe69333c
- SSDEEP
  
  24576:bhdtlx9EP2aKUQ6/FfCH1bGl4rg5YWNexNBpqod:bhdrY+aPQiFgDWcxNzqi
Score

10^/10

remcos aug 26 collection credential_access discovery execution rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2