General
-
Target
7826111d2199c264fedeb756cca3cde1303c218950789aeaf55df82f47eda858
-
Size
1.4MB
-
Sample
241001-hcy1esvhmj
-
MD5
868fc97a8ce0e4235e0226aefdf61210
-
SHA1
694c0865656c0b3bb054b542cb87de276b0dcc55
-
SHA256
7826111d2199c264fedeb756cca3cde1303c218950789aeaf55df82f47eda858
-
SHA512
9e4c11c543a0644b50851309983756db5aa4b3f0d3a816313abbf3ce766f0c6e25e8262636cc11cc85ddc7413c727627fc72e3c5b20181883ccb955e4ad222e6
-
SSDEEP
24576:0W6nMMAthG0OyHkdGPARth8wVbMDi5l52VUyzQEsM4BPafQYkJS2xhof79JJ/aXr:0WsMMOgSHVARthZGDMGK/vM+mQtJSchd
Malware Config
Extracted
remcos
RemoteHost
204.10.160.212:6622
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-98KSNN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
RFQ-NO 00967-HYU001-Project Order.exe
-
Size
1.5MB
-
MD5
58906f0d0d57dc8b5f32a7d779cdea22
-
SHA1
e7e0546255d9595e903a5dd641f1234979dd59ea
-
SHA256
502adbc1e5177691e69d8a3159aae8f5672e9ccf8eadda3f6c4fccb3d258dd6d
-
SHA512
c08dab3ddd376af6405a8816e05525bf099628a6ebb0d29f510fe463f4f47cfe5e134350749272219038c984b8a38961782637a4c96981a916130851b004fdc4
-
SSDEEP
49152:UJT2EhlJjIw8Fhno/SWR7Zosw/19gl3cJ:OBxjIZ9oKoZho1/
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1