remcos

General

Target

db1831649f55461c90d5020eb1310a99612efe51551f7e9ee57747b89daf10fd
Size

503KB
Sample

241003-aevf1stgqr
MD5

2c70fce6c57af6d52479099e5c701bc5
SHA1

5882bb3e919edb0891372dd60762bef9d39bfdfa
SHA256

db1831649f55461c90d5020eb1310a99612efe51551f7e9ee57747b89daf10fd
SHA512

4fb0a429d07c288c64b6bef9e47f5477b04991ed4757837d84a9eb3ae9321ce725de1db6672f052e280a9fa00495ad2465971b1be3be3726e4a6ba2362110597
SSDEEP

12288:QrqflmYwHO+CY9J/DtZA9b7TM5n9RKXHt1XXdo61:Q4VcO09lh+n+Ct1Xm61

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

GIMMEWEALTH

C2

janbours92harbu03.duckdns.org:3980

janbours92harbu04.duckdns.org:3981

janbours92harbu007.duckdns.org:3981

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DZYYYQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Awb_Tracking_App_original_invoice_bl_packinglist_shipment_29_09_2024_00000000000000000000.bat
- Size
  
  637KB
- MD5
  
  ff4eb87d1d1b7be863e3d3ebacabd016
- SHA1
  
  d87f89c5bcc66d4861b8d4654cac9b5f50dda1d4
- SHA256
  
  c427e3abb88e7f09b05e5bdf03a1b7e4a8dd938d22d310556f12f2a54d880da0
- SHA512
  
  53ea12baf38f793011bdb026cbfda1c510b199e8a137537d82449939426c1b4748764bf050fff61aca89760d398f783a63a6c5478464584014e66fd8083ab558
- SSDEEP
  
  12288:zNiR660vPkyuY/J/ptZA9h7z13KXGWj4XXdN6+:xu0Hkg/lLSlrWj4Xn6+
Score

10^/10

discovery execution remcos gimmewealth collection persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Dumperfrernes/Multiversities.Bek
- Size
  
  52KB
- MD5
  
  9f75d1ca6c6a219e26ceea78a6f6b218
- SHA1
  
  688f14dea57c5989cdb6b29d2d2f5d6a07a460ef
- SHA256
  
  203ef2d3c9984cadb87801dc09f084acf7d6f078855ba6300c6e2da79d3a23e9
- SHA512
  
  a337e7288f0ed129ae27357914af9af67080835c2b15cc1000566b39f3a30756b2d9e17c910429ecdda936a0e91608ceffa75725e4f5ef3efb1bf9e6b5b6666e
- SSDEEP
  
  768:TgeATHJjJp/klueGBVitBbWB+L2HuuSz35oDFkkSNa9qzgZmuPECvGf72IxJdccu:TQTHLquH7iXo+Vuy3SoaoYuCCJ0cQTB
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4