remcos

General

Target

Quotation.scr.exe
Size

397KB
Sample

241007-j4exasvenn
MD5

c4480b58328126c07e887230ad86d282
SHA1

7c226422b08bdf0e3258b9e8d52d1a30a80bd567
SHA256

a01a62156170d2f163507a09320efe3ac4112be7ac0e82752799963c6603a095
SHA512

95479cd3368aea9ee77f7398a9870843c4bbe9b26f8dfc1b0b199e6508513863354f087b447e0691f60d271b79511786b749cbd996f99d470e899936597e79b1
SSDEEP

12288:Ck13jLO9cLkxp6qu07AoF6DrGUnekSnea5+Ns054Pio:C036Qk79uWAoF8ZOSscSd

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

subddfg.lol:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-C7CG6G
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Quotation.scr.exe
- Size
  
  397KB
- MD5
  
  c4480b58328126c07e887230ad86d282
- SHA1
  
  7c226422b08bdf0e3258b9e8d52d1a30a80bd567
- SHA256
  
  a01a62156170d2f163507a09320efe3ac4112be7ac0e82752799963c6603a095
- SHA512
  
  95479cd3368aea9ee77f7398a9870843c4bbe9b26f8dfc1b0b199e6508513863354f087b447e0691f60d271b79511786b749cbd996f99d470e899936597e79b1
- SSDEEP
  
  12288:Ck13jLO9cLkxp6qu07AoF6DrGUnekSnea5+Ns054Pio:C036Qk79uWAoF8ZOSscSd
Score

10^/10

discovery remcos remotehost collection rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  792b6f86e296d3904285b2bf67ccd7e0
- SHA1
  
  966b16f84697552747e0ddd19a4ba8ab5083af31
- SHA256
  
  c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917
- SHA512
  
  97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c
- SSDEEP
  
  192:rFiQJ771Jt17C8F1A5xjGNNvgFOiLb7lrT/L93:X71Jt48F2eNvgFF/L
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  5aa38904acdcc21a2fb8a1d30a72d92f
- SHA1
  
  a9ce7d1456698921791db91347dba0489918d70c
- SHA256
  
  10675f13abaee592f14382349aa35d82fb52aab4e27eef61d0c83dec1f6b73da
- SHA512
  
  f04740da561d7cd0dea5e839c9e1c339d4a3e63944d3566c94c921a3d170a69918a32dff3f3b43f13d55cc25a2dbb4c21104f062c324308ac5104179766402a3
- SSDEEP
  
  96:AOBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+uHwEX:AhB2flXAVJtjf6cBbcB/N8Ved0PZ
Score

3^/10

discovery
behavioral5 behavioral6