remcos

General

Target

19801cf904884fb5e33a7595d6a616c3.bin
Size

1.3MB
Sample

241016-bdejvavbqd
MD5

5171a884b92166315cda537c57a08b28
SHA1

c61d031ecea83857a545ddf12d8d34ac9e510839
SHA256

b96d46043fab794c9576cbb36aaeeb60cee914c1b10331c23f292e0955bb5201
SHA512

9c5b5fe011eb6b7a478c1ae906ee0451462f8a30700e102059d1f65d0e805ba1e194868d918e7c104cf4123e5354865f2a12864b85a47a22a5f73f639ae71c96
SSDEEP

24576:aYvJtPpDusCgcAcT1/b+wv/Kga/FVd73WbnRbuH11En4p:aI5uvZAW6waxNk5uH11En4p

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.projectusf.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
gfh
mouse_option
false
mutex
Rmc-J91LMC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  76c073734ff5f0942c8c539be408367b83a78ce995e8d9502bea6e9d83d1c3ad.exe
- Size
  
  1.6MB
- MD5
  
  19801cf904884fb5e33a7595d6a616c3
- SHA1
  
  56792c80985a4ae57d85fdbe7d1f812152c5d2ad
- SHA256
  
  76c073734ff5f0942c8c539be408367b83a78ce995e8d9502bea6e9d83d1c3ad
- SHA512
  
  f7a37a99f18cdbb35ea03920f305e1bc8a5ada62a7bdc785d30fe85662f7b27a35b592449073ff30a113a6ba6c75d6e54c043e7a61a052a9d5b3f498ca99699f
- SSDEEP
  
  24576:ffmMv6Ckr7Mny5QLfrgh8kkKe+rGW/FgkI5NSBJFLM7XV4:f3v+7/5QLfrgh8cFgh+pM7XV4
Score

10^/10

remcos remotehost collection discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Drops startup file

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook accounts

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2