remcos

General

Target

3b8887359ad82101a2e050475601c339ae2fab0676712f7dded280e7d52b9591
Size

1.6MB
Sample

241005-za55ds1hmq
MD5

6b737ec9c99212f82ad21f718d102c07
SHA1

073666a7026034ab313e573b19f8b32abb85979c
SHA256

3b8887359ad82101a2e050475601c339ae2fab0676712f7dded280e7d52b9591
SHA512

6d9f2e9f344544e46ff56317c3a0abf4b6ef88f0af7792ad053ae77e3915192f26c2d7b64aced249d84191fc0dd01ba2fd0edb987ff5d195d63e43ef260f47a4
SSDEEP

24576:FfmMv6Ckr7Mny5QlxdojKM41UJ2FdS/JWhtT2NDH2/fqcLPDMplL3T3W:F3v+7/5Qlxd7WaYchN2QfqcTDMXTm

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.124:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EWMBFF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  3b8887359ad82101a2e050475601c339ae2fab0676712f7dded280e7d52b9591
- Size
  
  1.6MB
- MD5
  
  6b737ec9c99212f82ad21f718d102c07
- SHA1
  
  073666a7026034ab313e573b19f8b32abb85979c
- SHA256
  
  3b8887359ad82101a2e050475601c339ae2fab0676712f7dded280e7d52b9591
- SHA512
  
  6d9f2e9f344544e46ff56317c3a0abf4b6ef88f0af7792ad053ae77e3915192f26c2d7b64aced249d84191fc0dd01ba2fd0edb987ff5d195d63e43ef260f47a4
- SSDEEP
  
  24576:FfmMv6Ckr7Mny5QlxdojKM41UJ2FdS/JWhtT2NDH2/fqcLPDMplL3T3W:F3v+7/5Qlxd7WaYchN2QfqcTDMXTm
Score

10^/10

remcos remotehost collection discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2