remcos | c441c4a1730f4f007d600a25dc94f5ce892cd1c313cce3c213b669f9566fbc81 | Triage

Submit
Reports

Overview

overview

Static

static

1

KULI500796...03.vbs

windows7-x64

8

KULI500796...03.vbs

windows10-2004-x64

Sharing

General

Target

c441c4a1730f4f007d600a25dc94f5ce892cd1c313cce3c213b669f9566fbc81.gz
Size

5KB
Sample

241016-f7bghavdpg
MD5

2be872c561b36ed6077935b39549a5d2
SHA1

5f809712be7c0aef0c83150981f5c7a266115d52
SHA256

c441c4a1730f4f007d600a25dc94f5ce892cd1c313cce3c213b669f9566fbc81
SHA512

e2782fd577062464a6bd33d85dc0768a1c52918adb5205c0f80b869bce5c10394c08a09a146a6392396d1948680ade25d59632972a14a3ba011f168ced1da63c
SSDEEP

96:0NP4qw/C4xq32sFWVvYUO8ntDCAOD2M83stEmfJbT5r1bn0/Ey+ixmsVJ8DhnH:o4qw/C4a2sFYvzjtDbOws3NrN0cy+SJ0

Score

10^/10

remcos remotehost collection discovery execution rat

Static task

static1

Behavioral task

behavioral1

Sample

KULI500796821_PO20000003.vbs

Resource

win7-20241010-en

discovery execution

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

KULI500796821_PO20000003.vbs

Resource

win10v2004-20241007-en

remcos remotehost collection discovery execution rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.174.101.218:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TKX1UQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  KULI500796821_PO20000003.vbs
- Size
  
  9KB
- MD5
  
  56f94f8aed310e90b5f513b1eb999c69
- SHA1
  
  95e42e5458cf0117c08de3c6bda83b699fa9be59
- SHA256
  
  a81393b534b9f803d64ca3d43f9e3b8a184a9e790ac20f2f51d347114384e7a2
- SHA512
  
  d53890af0815934fb10f4eb3e2eae13da5db60d21a9a89f2426de7bbb5ce7ed495a84a371d8c19ce9b707709b3d18f00bc637262a2d3fc7818333b508af4980e
- SSDEEP
  
  192:oiJSEy04EcieX8Qui690HKZRBijzH9Iue0LGmeHkQEvbcB1m:ouz4NHaijzH9ZNLwElDY1m
Score

10^/10

discovery execution remcos remotehost collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosremotehostcollectiondiscoveryexecutionrat

© 2018-2025

Terms | Privacy