remcos

General

Target

991d1e29a1575cacedd43b0cc6254e4e8b905302238b354758933343bfac70da.exe
Size

3.3MB
Sample

240913-by9wgsxelc
MD5

b3bd87511cd987ba5747e942aad1ddc3
SHA1

56393b3565d8584d8f2a296facd1bf23db3cb60b
SHA256

991d1e29a1575cacedd43b0cc6254e4e8b905302238b354758933343bfac70da
SHA512

bf5c6dc986464cad124d0cf1c5a38323527ef144487c2759bfa1df24f125ed6c02da3e14f696cc9a29caf5f4e7d05741927064e27856170ea0fec78e7b8c2cea
SSDEEP

12288:dRtQiMYE1YZboRaX4UaAevPHrukqyqeFS6IoAI0X2b2IZePV65tCuQxZNCmhydeW:ORYEKt3o3AOPHLXFS6bSLo50uEZzyMW

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:45588

zuesremmy.duckdns.org:45588

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5FB45N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  991d1e29a1575cacedd43b0cc6254e4e8b905302238b354758933343bfac70da.exe
- Size
  
  3.3MB
- MD5
  
  b3bd87511cd987ba5747e942aad1ddc3
- SHA1
  
  56393b3565d8584d8f2a296facd1bf23db3cb60b
- SHA256
  
  991d1e29a1575cacedd43b0cc6254e4e8b905302238b354758933343bfac70da
- SHA512
  
  bf5c6dc986464cad124d0cf1c5a38323527ef144487c2759bfa1df24f125ed6c02da3e14f696cc9a29caf5f4e7d05741927064e27856170ea0fec78e7b8c2cea
- SSDEEP
  
  12288:dRtQiMYE1YZboRaX4UaAevPHrukqyqeFS6IoAI0X2b2IZePV65tCuQxZNCmhydeW:ORYEKt3o3AOPHLXFS6bSLo50uEZzyMW
Score

10^/10

remcos remotehost collection credential_access discovery evasion execution rat stealer trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook accounts
  collection
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2