remcos

General

Target

234ec1709640c409c97d44db036f181f4956a15c73a8756f7a714a57a59ff66c
Size

52KB
Sample

240912-w81qsaxhqm
MD5

d9412a42532e51ab372e00ab72eb4483
SHA1

db8f97b82ab7c9ff8e6f85d1df13a949606aa24a
SHA256

234ec1709640c409c97d44db036f181f4956a15c73a8756f7a714a57a59ff66c
SHA512

61f90e73c80faa1eef3553490d5cb7f83983b653ffbf3361841894d05970c054fc8e3ec69f013da4423fc313049bd4e380d8ecd3853bc599f1d0382f972916cb
SSDEEP

1536:f5jG8ef04g42MfOPsMIL3hLiIh26/2Ot/So2RR:fAfq42MfasMILDSO1gR

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

remcos

Botnet

RemoteHost

C2

ugnrv.duckdns.org:9674

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AV5HSI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0x000300000000b3e3-94
- Size
  
  194KB
- MD5
  
  914253e6225b686ee3e0a752c1cd1bb4
- SHA1
  
  42e9ae719f4dfd04e7dcb9d58a911eb37fd3439c
- SHA256
  
  00f52a2f56551d868397acd11e4d12c353d7107ce680c6ff00012a90dabc818b
- SHA512
  
  92ecf4249ef488d95a657a3e920316cc816e2e8d5d2b8e257e4ce074626beda95d379034c86758ac7a1623354cfe2cba14bf811f73f3a35fe97e3610d85c9e3b
- SSDEEP
  
  3072:7tduXlp2G4E2A0w8Vf0DyQPrWDgt5pUGw1piL71OkHiMZzvcqgp3yO9pj2t7tK:JW2Gp9b8tPQPacR9vctpiO9pjGtK
Score

10^/10

execution remcos remotehost collection credential_access discovery rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2