remcos | 75355958d81ed41f64b374f761d6b8076d558e1610214eeef8f4fd1ece8f78fa | Triage

Submit
Reports

Overview

overview

Static

static

1

cf932f84c2...23.vbs

windows7-x64

cf932f84c2...23.vbs

windows10-2004-x64

Sharing

General

Target

2017ec3e440a42016679cfca89021367.bin
Size

501KB
Sample

240909-bdb4qatgkk
MD5

d74832353fdfd02369346680c6516ac1
SHA1

c1358b7a59365bf1e6e44857d0f6fb02b8e4a910
SHA256

75355958d81ed41f64b374f761d6b8076d558e1610214eeef8f4fd1ece8f78fa
SHA512

b4262c633cda93d8cddfa0c3ee4cdabc8cb7526ee9dd000d8c11bd500e2d61851915f67843b6c59e983a92b2f9ab6598e23d3b6d450055b7058e8026a183329a
SSDEEP

12288:WZR2rpAuUsaXQfdIO66U4WNSN0WRD26hgNSzXeTTarP6s:E2qS66/WNy02D/htTeTTAP6s

Score

10^/10

remcos remotehost collection credential_access discovery rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

cf932f84c26f6d3665b03afbe44e50bf77342af73b4a1f101d48a5750fb3bf23.vbs

Resource

win7-20240903-en

remcos remotehost collection credential_access discovery rat stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

cf932f84c26f6d3665b03afbe44e50bf77342af73b4a1f101d48a5750fb3bf23.vbs

Resource

win10v2004-20240802-en

remcos remotehost collection credential_access discovery rat stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

camzeroconnect.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GT4655
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  cf932f84c26f6d3665b03afbe44e50bf77342af73b4a1f101d48a5750fb3bf23.vbs
- Size
  
  691KB
- MD5
  
  2017ec3e440a42016679cfca89021367
- SHA1
  
  b28018bd754b0fa5170c9071fb4a615741b4dd19
- SHA256
  
  cf932f84c26f6d3665b03afbe44e50bf77342af73b4a1f101d48a5750fb3bf23
- SHA512
  
  3e29904829f4ea7ae5fcde95ccc3b4e9b440f60a1de183fe6ba7cd822d04e0976ff6e6a1bdb92a5da935e36a4485cbc982eb0d7d02c337c476c45724450efb02
- SSDEEP
  
  12288:xLtzjh8P+o6/vW/kiZI5sjLXjJkMz4Ss47DcShFXNGh/WmDj+VGP:dt3h9/uJZSsjLlkMdcSzdIuGP
Score

10^/10

remcos remotehost collection credential_access discovery rat stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcollectioncredential_accessdiscoveryratstealer

behavioral2

remcosremotehostcollectioncredential_accessdiscoveryratstealer

© 2018-2025

Terms | Privacy