remcos | 1cb551acf0990344e1a4f35a13ea63b7888f6287d54040ab071567fbc13e9856 | Triage

Submit
Reports

Overview

overview

Static

static

3

9582023 Di...nt.exe

windows7-x64

9582023 Di...nt.exe

windows10-2004-x64

Sharing

General

Target

n9582023_Diesel_Power_Plant.lzh
Size

856KB
Sample

240925-n1awdsxbma
MD5

b806d489a690b6a84913f1fb165e5127
SHA1

13fe37cc76c8b8bdc82152e7cd07ef8a1c4c139f
SHA256

1cb551acf0990344e1a4f35a13ea63b7888f6287d54040ab071567fbc13e9856
SHA512

1dfb1b6262bf6bf7acded4a26e65dca8cdb906fc0d6b2d08f9b957d3bcdf3c24437780caedd12b7f41d11fcbbcf057582bbacf162df1122d751d5de49eb7d869
SSDEEP

24576:26F7Ei+JSYra2VMGrAC3WdVtt2G5hpy2bQ/GlThogW:jFMhrasM+mdRfp7SGlNJW

Score

10^/10

remcos remotehost collection discovery execution rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9582023 Diesel Power Plant.exe

Resource

win7-20240729-en

remcos remotehost collection discovery execution rat

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

9582023 Diesel Power Plant.exe

Resource

win10v2004-20240802-en

remcos remotehost collection discovery execution rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.drechftankholding.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
dfgh
mouse_option
false
mutex
Rmc-8J6PG9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  9582023 Diesel Power Plant.pif
- Size
  
  925KB
- MD5
  
  c389b87b78df960f50d0848ccff471a6
- SHA1
  
  c0a4c51af56dd5a3c5472ee86d3388a56e1cb901
- SHA256
  
  5bf25358184f7ddd5da889cee29f7adb0f8db9aa9c130b8c83a93f616919fb9d
- SHA512
  
  5d5681ff306a71856549674c8dbca00e6ac552b60dae822e356d5e189403de3cbac181b47e64293b2cd95f46f30c9b7f8f4c16eac0def188b6d98445b55a1b1c
- SSDEEP
  
  24576:fMlPuJwI0Xvuwl2wfnV4nG6vv1BIfrlu6cZVp:fM1CwpWwQwfyG6vv1BB
Score

10^/10

remcos remotehost collection discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Scripting

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcollectiondiscoveryexecutionrat

behavioral2

remcosremotehostcollectiondiscoveryexecutionrat

© 2018-2025

Terms | Privacy