General
-
Target
9.zip
-
Size
7.1MB
-
Sample
241019-k1ac3szcpq
-
MD5
cc0c1fc286b23351b6e0d9da08405a75
-
SHA1
b63dfec8dea9b62880a23f1fa4467ccb6360d5b4
-
SHA256
7e14eac3878e56172746c4ce61a41938ee6ddb571721682db462d31e8810a0c9
-
SHA512
e6835001e40be0a799e35863c3bfc5e132f6ad8cb121106fb4ffaf2b66ec7d8f58fc058dcc06f1b3d704753e188b4b6cebfd355d8d150573fa3f98b9b739b47a
-
SSDEEP
98304:gRC+gZwy40ywa6RYS1X/LywlxA3tCrtm1r4jXyw8Z9zdOmOwywim:8wa6RMwAotm1FwUaRwn
Malware Config
Extracted
remcos
RemoteHost
core-hook.gl.at.ply.gg:7242
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
scvhost.exe
-
copy_folder
files
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-HRUGRQ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
scvhost
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
10.exe
-
Size
469KB
-
MD5
8d3385c24f556f641062412ab432323b
-
SHA1
7913417f9d6f197ba788673f46b5b6cb378680d1
-
SHA256
d32e2368980d47fdad421a027d48f2a661fc41cd59929d78d4669e6d583dcbc0
-
SHA512
294bfd88d9e63bd5fe8a36b8e5802ee8cd39f8a6b08dc3b7160c247c3135f4e8f6336d43c5431d261c59bdeeb11299fd230299fffac83de6f6b443f9a92f3be0
-
SSDEEP
12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSJn9:WiLJbpI7I2WhQqZ7J9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
11.exe
-
Size
469KB
-
MD5
27ecf512608cb5af60fecfe1704dd92d
-
SHA1
9c3e290eeaee2b95a3258162361e3f36e94c5f85
-
SHA256
383d49aa25471eaca850e06e028ee6713b8b6d6353474eda2fca6bb7e979b3d7
-
SHA512
c0f7002f0058a27fe04fc290b5578e7b417ea1830e425eb547b3f4813e1bcec1f6191dd4476ab4d5f7f4693b4ab1a3427679cb0a1bb4fd08414400e7d8b09fdc
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSPn9:uiLJbpI7I2WhQqZ7P9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
12.exe
-
Size
469KB
-
MD5
61729e492823f29b36beaff277e18231
-
SHA1
eeeeeaa271fe8a3b79fc3f9f51c753339526481a
-
SHA256
00d40219c25ddb2121292d25de682239862b693e78d09a3c542f622b3aaca8e9
-
SHA512
7809e99417fc114698d75b3bd368d19ed01df2d18db1fc367d86d7e6b1bc9a15eca7afe4fb8a0f3952465f294684f37dd50691cebb996fc1cd532bd129c69d3e
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSCn9:uiLJbpI7I2WhQqZ7C9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
13.exe
-
Size
469KB
-
MD5
cb9d1f7b29aaab52cf61252c69578ce5
-
SHA1
bef7b00d16ff93aa85693ac563c9391300d439c9
-
SHA256
0d2bb41bc116b49cb24b4b19c4ea0ab07d195123e2cb341628e09f798d3b04c0
-
SHA512
c75689d459f8f9d927be23d692d7a0f772d0b37bba1f5dba13f51b8d6f71a4b3a9c3d36640d727c5e870533e732c61948bb2610fee40d91b367f3720422a890c
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSEn9:uiLJbpI7I2WhQqZ7E9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
14.exe
-
Size
469KB
-
MD5
0abc38d7702c97bc7cd87b30004a5c5f
-
SHA1
0c7198c92914d0a7b92c4cbd4012b869322b5fce
-
SHA256
4f8944279f1f8b228116ddb677128c897234b61b741c6430817079eab5d30263
-
SHA512
3defbd77e819cdb561561a0d1d229ea6404073c06bca9fe3a4aa484028e7fbaba8a35da56154b471a98c77d56844908f1931cbbfcdea8deaf36d57c2ceab7900
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSnn9:uiLJbpI7I2WhQqZ7n9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
15.exe
-
Size
469KB
-
MD5
b22ad7c19d9be804fa14370318c42ebb
-
SHA1
70eb106c8df97eb8fb5fd6e7532c849624151ca3
-
SHA256
7517b5d6b373982ef7e97b3480a7b6467c79c628f096a257732eb2a5ca2f0878
-
SHA512
9c0467d165ed5d6db83ca6a9bbc02478ba68a20bdf4a41e021f4df7efcf334f8dc586ed8099997b5ce55a1466e155d9bececf225aa5d5093d7aae236ec6a901b
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSVn9:uiLJbpI7I2WhQqZ7V9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
16.exe
-
Size
469KB
-
MD5
7d44c4da90227ff04873e74604d4b51b
-
SHA1
60d4bc726400f4ddd83ddd36c9bc3882ab3eba9c
-
SHA256
9a9adf67ee1043f43eb437e10d63505051fb56c33c741879dcbcb98c78885e76
-
SHA512
03f2a600937a7535515f377c9a10f508061af0a1d5ec932acf85de901fcaa43c2a6b2384dbff39261b40ccd62fa57e658d96a4f85ba415eb5de93c80201d9a81
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSyn9:uiLJbpI7I2WhQqZ7y9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
17.exe
-
Size
469KB
-
MD5
44ac1dfd7a50938d27a187cfd2d1d6f6
-
SHA1
8b4b107f3c89e6882ece16ab4d41518131c4d57f
-
SHA256
81fc8c39bd528cc4254d93f3f3c5757bae4a05f34cbd8a48d851b9197cbafe75
-
SHA512
9247522fdf1f4e5d389f6068f87cb6d0205e9b16a34f21181be18003643f704a6ea222532d7186404ae628011f4674e72c598d31a4b3ae6f00e0f2d07929281e
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS/n9:uiLJbpI7I2WhQqZ7/9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
18.exe
-
Size
469KB
-
MD5
6d24df24ca53f7c976d8d8bccc03777a
-
SHA1
af23e6773c088cc55d32bcc6a23b637a5d3b8ff9
-
SHA256
d1dd4f16d4b190d9fa1310fa43168659ab3586bdaf20e89363043d99d9e2a954
-
SHA512
9935213e36576677a7e2332be05557e56f50828779f32343ca5dec7f2f413e1c7624b33bd6340ec465d45e3f031717a988797763a6cdad1f1c9632db308cb397
-
SSDEEP
12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSwn9:WiLJbpI7I2WhQqZ7w9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
19.exe
-
Size
469KB
-
MD5
acfb691b2877f1ecb639bb3e7c5e5493
-
SHA1
d9883a6b7ff1a43f94c5de0e1a80af7d36a39e73
-
SHA256
b81478ef251a0cb9a8d97b52f5137a41a550ffd6083c6203767f2cc5567e0cf4
-
SHA512
af61993d8e20d9a1306ee76a330d9bb7ea0f21adb258dfc987647649fc4ad514b0bb48a12b85a56975c2e30f55994b2544375978f60f2894958e1c04bce0fadd
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSLn9:uiLJbpI7I2WhQqZ7L9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
20.exe
-
Size
469KB
-
MD5
da31b3ac7c6dbdc7cff96b4a1e3184b6
-
SHA1
4dc91cbb417c7ede59aef8cd7b160b0e1859a8ef
-
SHA256
f5087001c6a93bb8ee4871dab150715e4e5050ea6b4b39e201d9944f598a4549
-
SHA512
3364db57258bc63da9eea0d1592f387935eae74d69fb0d8f278868484e60af36ab5535d292ec492311119e20df0a1515d879444781ed96148fca26284a595d93
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS7n9:uiLJbpI7I2WhQqZ779
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
21.exe
-
Size
469KB
-
MD5
3e956e574416f454cba5992573dc600d
-
SHA1
5a23a20fb4c640cf7b1746ac7db8d0b3409ebad7
-
SHA256
6fb3044131ebdfa041cc6ef722d69e202c610d3211f7c95dcb4ce9c868086ef9
-
SHA512
9fb611246356b3261f3b2352cda2b4892842a6ecd2b6c7ad11f1c3d5e0523af3251823ce7c79cdddcf463b594040eb34025e99d2b4b01dcfcef6fa17d9ff61d5
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSHn9:uiLJbpI7I2WhQqZ7H9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
22.exe
-
Size
469KB
-
MD5
ea99efb202c5625280d0d4140c2cdeee
-
SHA1
5cf3bb2872c7c46725e9e236f8bead59a8786a55
-
SHA256
6823bc23bae3dcceee8b122d5ab49c71adc32f5f8cbfaddd0f6e361dd5be17f3
-
SHA512
bde3e441ff858872069d236a292313883ca3698e49b821af2a805b82e1e861ac9af5235d61db795fe47b5b97e11a687ef5fa8cdd8dc709ba63f6e595cf265537
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSKn9:uiLJbpI7I2WhQqZ7K9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
23.exe
-
Size
469KB
-
MD5
68b1b3afe4f835f0152104fae7fc9af4
-
SHA1
138e8548a38eaec24aec240daabe1ffef291bb23
-
SHA256
4249998dd18957a8b104d1cb108271df9be27c745089c60a302445a659d68f9b
-
SHA512
0dbbedbdd7944ca537121d58057249086b609a08af12c7ad26eb4b71b00e35cf7e243179c6cafe1c32b7ba550b4d82551fc97b2587823ef602cdc5de4f065ea3
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSFn9:uiLJbpI7I2WhQqZ7F9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Program crash
-
Suspicious use of SetThreadContext
-
-
-
Target
24.exe
-
Size
469KB
-
MD5
936f01333e0ff8de6f821e69901b815c
-
SHA1
e7b64d55bebfff003b7b0c5ecfd5c301b676fbee
-
SHA256
b47c6fece1bae3a1310a5c676b2c361b98fb6f8639354d7e606138ab3f7f6a84
-
SHA512
fddb4f6c7f91717a32469ea2b6832390266bb99418ea1c28d87f3511a44ad1a92c4badc9c3e30368f665cbc519bc71cd27f5871e0c3ab8d30d39695c5cb925d0
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSwn9:uiLJbpI7I2WhQqZ7w9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
25.exe
-
Size
469KB
-
MD5
481d7c33a69366bd777a031b9b91a801
-
SHA1
1f0d466674b4e61a056c5e1c42eeeb24ab38c3e2
-
SHA256
6bd339cbfca8e0d4b4479448484e49cc5c2aa5dce974df976b920e5dff3b621c
-
SHA512
d36fb6ba206dbbcae5fcad10b5f0bf85dda95d6bf8aa70696442d480825e57911e096d1e4ca22e1e30d3fcd5c76661770260112ea97a8c11755601c6bcbcf9b3
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSZxn9:uiLJbpI7I2WhQqZ7Zx9
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5