remcos

General

Target

f0f335a424d98a48836a01aaa8af90ddaa08667ad3fedc6cea38ab5623c4b713.exe
Size

1.0MB
Sample

240831-cj863szglm
MD5

a3a1178a681a45c960b0ed5d0c47926b
SHA1

9048f61cab453a6d4eb6ebae1bd2f913350975d9
SHA256

f0f335a424d98a48836a01aaa8af90ddaa08667ad3fedc6cea38ab5623c4b713
SHA512

974b0726a47312b9ecf429d4ba7716e196448655e24775f9443c5cc5b5a3fb790ef917baf30dc0da4907c9298ddff10fd411b806103a261dcc926c0f008ce0e3
SSDEEP

24576:78+0suO3PuzmSe//zGdg7Vbo11Im2YJAssiWV9w9pTNLo:juO/uzmN/CdSmfUqPx

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

23.106.127.79:5679

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7VNLX4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  f0f335a424d98a48836a01aaa8af90ddaa08667ad3fedc6cea38ab5623c4b713.exe
- Size
  
  1.0MB
- MD5
  
  a3a1178a681a45c960b0ed5d0c47926b
- SHA1
  
  9048f61cab453a6d4eb6ebae1bd2f913350975d9
- SHA256
  
  f0f335a424d98a48836a01aaa8af90ddaa08667ad3fedc6cea38ab5623c4b713
- SHA512
  
  974b0726a47312b9ecf429d4ba7716e196448655e24775f9443c5cc5b5a3fb790ef917baf30dc0da4907c9298ddff10fd411b806103a261dcc926c0f008ce0e3
- SSDEEP
  
  24576:78+0suO3PuzmSe//zGdg7Vbo11Im2YJAssiWV9w9pTNLo:juO/uzmN/CdSmfUqPx
Score

10^/10

remcos remotehost collection credential_access discovery execution rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2