remcos

General

Target

FRENCH GROUP.js
Size

4KB
Sample

240904-sjfgrssfqp
MD5

dadd8377507e2d1e1f9d6d3932247793
SHA1

db6d40ce027a73e60387f3787e0e21f0f23a24be
SHA256

36c49be8996bd1fb40e29a22b26feff1a0081adbb319ab6ccbda80ef81376116
SHA512

e20deb4608cdead3d79bc9d7a404a8e7fd47648aa44651d2a25dcccaa859baccce3238fe942a399b54ede7130e916fc60eba24a0031fcb219cf61c624810d367
SSDEEP

96:FFAo42THsHlhnWbzFlWxCi+uYBZFO6UxOWlTtMIRdSMdfLCVjBw:rpqhnWvFldT1ZFsxTRRdSM1LCVjBw

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Idemili Akpu

C2

closen.kozow.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-P9VOBB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  FRENCH GROUP.js
- Size
  
  4KB
- MD5
  
  dadd8377507e2d1e1f9d6d3932247793
- SHA1
  
  db6d40ce027a73e60387f3787e0e21f0f23a24be
- SHA256
  
  36c49be8996bd1fb40e29a22b26feff1a0081adbb319ab6ccbda80ef81376116
- SHA512
  
  e20deb4608cdead3d79bc9d7a404a8e7fd47648aa44651d2a25dcccaa859baccce3238fe942a399b54ede7130e916fc60eba24a0031fcb219cf61c624810d367
- SSDEEP
  
  96:FFAo42THsHlhnWbzFlWxCi+uYBZFO6UxOWlTtMIRdSMdfLCVjBw:rpqhnWvFldT1ZFsxTRRdSM1LCVjBw
Score

10^/10

execution remcos idemili akpu collection credential_access discovery rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2