remcos

General

Target

06092024_1400_05092024_AMERICAN GROUP.7z
Size

1KB
Sample

240906-rbdgrszelk
MD5

1fa25bbd281d2c59108d697b7ff78319
SHA1

709709b2cc331f9c6877ccef10df66c2a071d194
SHA256

1d503f8439839103192d3c1649cdfc1d52ee38e9c2a2a34e7a47d1c4310ffe1f
SHA512

6b18c2be04eab8d16c492458798a39feed8292cfbdfd97d480b84af5c9c35ec440c5391b7f63281cd7905fcee7469f963abae1d2a107ded2e7a7072b9929295d

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

ezeife

C2

closen.kozow.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CDP1EM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  AMERICAN GROUP.js
- Size
  
  5KB
- MD5
  
  5be88d052188df8add0940e02e81c7ba
- SHA1
  
  f94e8408818fe5537653a25bc30dadd9dd1e274f
- SHA256
  
  4858ae3bd1364f5c2246a46b84dc9abc15b1ea5ffc98a15dc5610b976042aea6
- SHA512
  
  135e6707323d014de36ed1028ea7a5fd9ca4afcf15f8e5c65dc9bc8b22173f9990e71f1f7be1c693339df48cfb7e3fbc8c9b997b2901069334f4a605ed32c8b7
- SSDEEP
  
  96:lkPtC7pMHzQL4hl0m5VqOM/C7yieEPjOQOUQ8CcZJEp6LWQPjwo47f:e879iUCFF9Q8Ccbj94r
Score

10^/10

execution remcos ezeife collection credential_access discovery rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2