remcos | 6e14949ce6cf75b2752054554ad439b0a83a7021a232b29dd5fdcd9c47eaa3f2 | Triage

Submit
Reports

Overview

overview

Static

static

1

SWIFT050924.vbs

windows7-x64

SWIFT050924.vbs

windows10-2004-x64

Sharing

General

Target

6e14949ce6cf75b2752054554ad439b0a83a7021a232b29dd5fdcd9c47eaa3f2
Size

508KB
Sample

240909-rcp7yssakk
MD5

d2d5ed989829fdc9c44bdccd546d91c1
SHA1

beb783c5d2f11135cc0f608b8850f23b37f0abf3
SHA256

6e14949ce6cf75b2752054554ad439b0a83a7021a232b29dd5fdcd9c47eaa3f2
SHA512

dfdb4da899323454c541712a1e154c394a90f3b8a8f6779cbde0affae6c3d25df2964baf18a87e573dcbe1c6909339ff5f10181b99c029020abed01925adba95
SSDEEP

12288:7bDeoktesIzi35QojLRUfQnxpjgq4vsN7xpPAYT:rxkteDzil1Uf4pjP6spPB

Score

10^/10

remcos remotehost collection credential_access discovery rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

SWIFT050924.vbs

Resource

win7-20240708-en

remcos remotehost collection credential_access discovery rat stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

SWIFT050924.vbs

Resource

win10v2004-20240802-en

remcos remotehost collection credential_access discovery rat stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

camzeroconnect.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GT4655
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  SWIFT050924.vbs
- Size
  
  691KB
- MD5
  
  2017ec3e440a42016679cfca89021367
- SHA1
  
  b28018bd754b0fa5170c9071fb4a615741b4dd19
- SHA256
  
  cf932f84c26f6d3665b03afbe44e50bf77342af73b4a1f101d48a5750fb3bf23
- SHA512
  
  3e29904829f4ea7ae5fcde95ccc3b4e9b440f60a1de183fe6ba7cd822d04e0976ff6e6a1bdb92a5da935e36a4485cbc982eb0d7d02c337c476c45724450efb02
- SSDEEP
  
  12288:xLtzjh8P+o6/vW/kiZI5sjLXjJkMz4Ss47DcShFXNGh/WmDj+VGP:dt3h9/uJZSsjLlkMdcSzdIuGP
Score

10^/10

remcos remotehost collection credential_access discovery rat stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcollectioncredential_accessdiscoveryratstealer

behavioral2

remcosremotehostcollectioncredential_accessdiscoveryratstealer

© 2018-2025

Terms | Privacy