remcos

General

Target

680aab32e024714f6755bc2817bf7a68fe8ccb12bf72141d176080a1c7f66aeb
Size

519KB
Sample

240911-16mtcswcpm
MD5

c08bdb833f04aa88f5b1035500fd0e2d
SHA1

3514864b019defdac263d3fcd54ded96d72743c4
SHA256

680aab32e024714f6755bc2817bf7a68fe8ccb12bf72141d176080a1c7f66aeb
SHA512

a262042139b9e2f830afbc6e7e66e3597a6bd25d6e54b6f50e767497470dc59070a658ba9530c908a68c04410370616c7611c5cfcbd970de6a089db68e76a139
SSDEEP

12288:to+VIWBon+um+82Qx2qlM7uSibfXpzdYFcXT+/MOTjpMU5EUG13:e+VIWCn+lD2aSUXpzdwcXiUScUW

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

162.251.122.106:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-A7EXAF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  680aab32e024714f6755bc2817bf7a68fe8ccb12bf72141d176080a1c7f66aeb
- Size
  
  519KB
- MD5
  
  c08bdb833f04aa88f5b1035500fd0e2d
- SHA1
  
  3514864b019defdac263d3fcd54ded96d72743c4
- SHA256
  
  680aab32e024714f6755bc2817bf7a68fe8ccb12bf72141d176080a1c7f66aeb
- SHA512
  
  a262042139b9e2f830afbc6e7e66e3597a6bd25d6e54b6f50e767497470dc59070a658ba9530c908a68c04410370616c7611c5cfcbd970de6a089db68e76a139
- SSDEEP
  
  12288:to+VIWBon+um+82Qx2qlM7uSibfXpzdYFcXT+/MOTjpMU5EUG13:e+VIWCn+lD2aSUXpzdwcXiUScUW
Score

10^/10

remcos remotehost collection credential_access discovery rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  3f176d1ee13b0d7d6bd92e1c7a0b9bae
- SHA1
  
  fe582246792774c2c9dd15639ffa0aca90d6fd0b
- SHA256
  
  fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
- SHA512
  
  0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
- SSDEEP
  
  192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
Score

3^/10

discovery
behavioral3 behavioral4