remcos

General

Target

P.O_Qouts_t87E90Y-E4R7G-PDF.exe
Size

636KB
Sample

240829-l2awnsvhne
MD5

c1c571c4f8f69d3c8aa0ec091173bd5e
SHA1

a36ac174f8ee2ed2254f69a21799837af58071f2
SHA256

d7cf40360b1dd35e6a20b8639f0fe9cc918157de07ff248983db6f0ee1472dbb
SHA512

08b540ab5ebb986cc43add736aee38d11a5f0da5252384bb30c7ca7f7b464e63debab4cec5a3dd122e3280f26e57e5ac8adc171e237a681d0e95239bddc11a1d
SSDEEP

12288:5rRo7TKXllTfhmiKdHEHPSXbOp/NoJnYRlXO3iBM4ILaa+Brt:JC7TKXlFfsiMEHPSq8YfMiBMh+ht

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.18:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HP1D61
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  P.O_Qouts_t87E90Y-E4R7G-PDF.exe
- Size
  
  636KB
- MD5
  
  c1c571c4f8f69d3c8aa0ec091173bd5e
- SHA1
  
  a36ac174f8ee2ed2254f69a21799837af58071f2
- SHA256
  
  d7cf40360b1dd35e6a20b8639f0fe9cc918157de07ff248983db6f0ee1472dbb
- SHA512
  
  08b540ab5ebb986cc43add736aee38d11a5f0da5252384bb30c7ca7f7b464e63debab4cec5a3dd122e3280f26e57e5ac8adc171e237a681d0e95239bddc11a1d
- SSDEEP
  
  12288:5rRo7TKXllTfhmiKdHEHPSXbOp/NoJnYRlXO3iBM4ILaa+Brt:JC7TKXlFfsiMEHPSq8YfMiBMh+ht
Score

10^/10

remcos remotehost discovery execution persistence rat collection credential_access stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/BgImage.dll
- Size
  
  7KB
- MD5
  
  a615e590815c8a602bb697ccd2421c38
- SHA1
  
  c88e5006622146b3d5acbdc3639bad06066c1c0c
- SHA256
  
  446a45a23c01944a0c23f59f4967890f199d7f4bca77793c4e1a54c04bdef44d
- SHA512
  
  a45c4c177db16e9f0b122c45cd16b856b4f99a33052c4e248d5d997a4eedb2be690a797a92d042c3de62ee098cb1b2be8cb9dae2d8b11cfcff77fd46d7902f90
- SSDEEP
  
  96:8eM0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqkvnLiEQjJ3KxkP:tuBfjbUA/85q3wEh8uLmWLpmP
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  eb2c74e05b30b29887b3219f4ea3fdab
- SHA1
  
  91173d46b34e7bae57acabdbd239111b5bcc4d9e
- SHA256
  
  d253ca5aba34b925796777893f114cc741b015af7868022ab1db2341288c55ed
- SHA512
  
  1bb035260223ec585170f891c2624b9ae98671f225e74b913b40bb77b66e3b9c2016037bc8e4b0ae16367d82590a60a0a3bd95d05139ea2454f02020d1b54dae
- SSDEEP
  
  96:oVDlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx488qndYv0PLE:oVp34z/x3sREskpxjdO0PLE
Score

3^/10

discovery
behavioral5 behavioral6