remcos

General

Target

5fe247828f3087cbede022c3db3c57ac8c0bb0138ea8e3424021afc4e314d076.exe
Size

1.2MB
Sample

240906-bpy3mayfme
MD5

351186b9b345b2fa94ab174c4c19b14f
SHA1

a736ed0ceb2cff740b9f1a6e7a0ce0efbf685fc5
SHA256

5fe247828f3087cbede022c3db3c57ac8c0bb0138ea8e3424021afc4e314d076
SHA512

8a105558ba42004e9aec1d21807144a8814241f9cc130367bfb6bd6d815accc5de21bec102e25acabc6818c29917061f2e1040651fa798fcaee85a9198911fcc
SSDEEP

24576:pUobyhBVHw9S2uk4zCbu26CKVHT38VqnlaV7pNI3xL35yd:iF9D2uk42bb1KVH78VqQbIt3y

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

SEPT 5

C2

sungito2.ddns.net:6509

154.216.19.222:5532

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WJKXMP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  5fe247828f3087cbede022c3db3c57ac8c0bb0138ea8e3424021afc4e314d076.exe
- Size
  
  1.2MB
- MD5
  
  351186b9b345b2fa94ab174c4c19b14f
- SHA1
  
  a736ed0ceb2cff740b9f1a6e7a0ce0efbf685fc5
- SHA256
  
  5fe247828f3087cbede022c3db3c57ac8c0bb0138ea8e3424021afc4e314d076
- SHA512
  
  8a105558ba42004e9aec1d21807144a8814241f9cc130367bfb6bd6d815accc5de21bec102e25acabc6818c29917061f2e1040651fa798fcaee85a9198911fcc
- SSDEEP
  
  24576:pUobyhBVHw9S2uk4zCbu26CKVHT38VqnlaV7pNI3xL35yd:iF9D2uk42bb1KVH78VqQbIt3y
Score

10^/10

remcos sept 5 collection credential_access discovery execution rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2