remcos

General

Target

scan_documet_027839.rar
Size

6KB
Sample

240906-nrkdgateqm
MD5

36219c4f77fabbc875a8a77de0957d5e
SHA1

dc37e9e2b3781f894f4ea1f358148a70c684b532
SHA256

84dab25530ba75d9610b9b7e7f8665ba066679cb1e433d7657f9b0577e37717d
SHA512

cec5c7bb82b111e09732231b7605b501149e6f8c35f77237c6f92f757f2721ae5c8523cdb3069b95e37c6753e38280859d660bbd236777af930c06069dd68dc2
SSDEEP

192:xEMZXn6ozg9WcNqxkFUJL2FYWFRhVYZLUbyln:xEWX6Mg9dNZUJCFrFRXLWln

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

one_host

C2

111.90.147.146:2404

111.90.147.146:54750

111.90.147.146:80

111.90.147.146:8080

111.90.147.146:21

111.90.147.146:465

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
hdeshtrhj-38D4FR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  scan_documet_027839.vbs
- Size
  
  14KB
- MD5
  
  a5a98320f9ac5232423dbde020b8af40
- SHA1
  
  270b584738e2ad68dfbb7d949b72e9ceeb620607
- SHA256
  
  cb6c92921e3bc58250684d6bd5dda9b92d22917f2d5e7b137c9694907309e986
- SHA512
  
  a0d29c2f86b197dfa834f3718ff45dfbcf7bdade1b6e0c551cf0cbd0b2138f9d2e6a2a53efa262321977e22979b7e2662d3f301258c1d70ca7580d7b2b441e42
- SSDEEP
  
  384:40JkjQ0eWgc1pVR8YSwSPJmxNSiMFpWRD:fGjQ0e21pf8SmW28
Score

10^/10

remcos one_host collection credential_access discovery execution persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1