Overview

overview

10

Static

static

10

10.exe

windows10-2004-x64

10

11.exe

windows10-2004-x64

10

12.exe

windows10-2004-x64

10

13.exe

windows10-2004-x64

10

14.exe

windows10-2004-x64

10

15.exe

windows10-2004-x64

10

16.exe

windows10-2004-x64

10

17.exe

windows10-2004-x64

10

18.exe

windows10-2004-x64

10

19.exe

windows10-2004-x64

10

20.exe

windows10-2004-x64

10

21.exe

windows10-2004-x64

10

22.exe

windows10-2004-x64

10

23.exe

windows10-2004-x64

10

24.exe

windows10-2004-x64

10

25.exe

windows10-2004-x64

10

26.exe

windows10-2004-x64

10

27.exe

windows10-2004-x64

10

28.exe

windows10-2004-x64

10

29.exe

windows10-2004-x64

10

30.exe

windows10-2004-x64

10

31.exe

windows10-2004-x64

10

32.exe

windows10-2004-x64

10

33.exe

windows10-2004-x64

10

6.exe

windows10-2004-x64

10

7.exe

windows10-2004-x64

10

8.exe

windows10-2004-x64

10

9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9.zip

  • Size

    7.1MB

  • Sample

    241019-kx7jeazbrk

  • MD5

    cc0c1fc286b23351b6e0d9da08405a75

  • SHA1

    b63dfec8dea9b62880a23f1fa4467ccb6360d5b4

  • SHA256

    7e14eac3878e56172746c4ce61a41938ee6ddb571721682db462d31e8810a0c9

  • SHA512

    e6835001e40be0a799e35863c3bfc5e132f6ad8cb121106fb4ffaf2b66ec7d8f58fc058dcc06f1b3d704753e188b4b6cebfd355d8d150573fa3f98b9b739b47a

  • SSDEEP

    98304:gRC+gZwy40ywa6RYS1X/LywlxA3tCrtm1r4jXyw8Z9zdOmOwywim:8wa6RMwAotm1FwUaRwn

Score
10/10
remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

core-hook.gl.at.ply.gg:7242

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    scvhost.exe

  • copy_folder

    files

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-HRUGRQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    scvhost

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      10.exe

    • Size

      469KB

    • MD5

      8d3385c24f556f641062412ab432323b

    • SHA1

      7913417f9d6f197ba788673f46b5b6cb378680d1

    • SHA256

      d32e2368980d47fdad421a027d48f2a661fc41cd59929d78d4669e6d583dcbc0

    • SHA512

      294bfd88d9e63bd5fe8a36b8e5802ee8cd39f8a6b08dc3b7160c247c3135f4e8f6336d43c5431d261c59bdeeb11299fd230299fffac83de6f6b443f9a92f3be0

    • SSDEEP

      12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSJn9:WiLJbpI7I2WhQqZ7J9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      11.exe

    • Size

      469KB

    • MD5

      27ecf512608cb5af60fecfe1704dd92d

    • SHA1

      9c3e290eeaee2b95a3258162361e3f36e94c5f85

    • SHA256

      383d49aa25471eaca850e06e028ee6713b8b6d6353474eda2fca6bb7e979b3d7

    • SHA512

      c0f7002f0058a27fe04fc290b5578e7b417ea1830e425eb547b3f4813e1bcec1f6191dd4476ab4d5f7f4693b4ab1a3427679cb0a1bb4fd08414400e7d8b09fdc

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSPn9:uiLJbpI7I2WhQqZ7P9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      12.exe

    • Size

      469KB

    • MD5

      61729e492823f29b36beaff277e18231

    • SHA1

      eeeeeaa271fe8a3b79fc3f9f51c753339526481a

    • SHA256

      00d40219c25ddb2121292d25de682239862b693e78d09a3c542f622b3aaca8e9

    • SHA512

      7809e99417fc114698d75b3bd368d19ed01df2d18db1fc367d86d7e6b1bc9a15eca7afe4fb8a0f3952465f294684f37dd50691cebb996fc1cd532bd129c69d3e

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSCn9:uiLJbpI7I2WhQqZ7C9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      13.exe

    • Size

      469KB

    • MD5

      cb9d1f7b29aaab52cf61252c69578ce5

    • SHA1

      bef7b00d16ff93aa85693ac563c9391300d439c9

    • SHA256

      0d2bb41bc116b49cb24b4b19c4ea0ab07d195123e2cb341628e09f798d3b04c0

    • SHA512

      c75689d459f8f9d927be23d692d7a0f772d0b37bba1f5dba13f51b8d6f71a4b3a9c3d36640d727c5e870533e732c61948bb2610fee40d91b367f3720422a890c

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSEn9:uiLJbpI7I2WhQqZ7E9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      14.exe

    • Size

      469KB

    • MD5

      0abc38d7702c97bc7cd87b30004a5c5f

    • SHA1

      0c7198c92914d0a7b92c4cbd4012b869322b5fce

    • SHA256

      4f8944279f1f8b228116ddb677128c897234b61b741c6430817079eab5d30263

    • SHA512

      3defbd77e819cdb561561a0d1d229ea6404073c06bca9fe3a4aa484028e7fbaba8a35da56154b471a98c77d56844908f1931cbbfcdea8deaf36d57c2ceab7900

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSnn9:uiLJbpI7I2WhQqZ7n9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      15.exe

    • Size

      469KB

    • MD5

      b22ad7c19d9be804fa14370318c42ebb

    • SHA1

      70eb106c8df97eb8fb5fd6e7532c849624151ca3

    • SHA256

      7517b5d6b373982ef7e97b3480a7b6467c79c628f096a257732eb2a5ca2f0878

    • SHA512

      9c0467d165ed5d6db83ca6a9bbc02478ba68a20bdf4a41e021f4df7efcf334f8dc586ed8099997b5ce55a1466e155d9bececf225aa5d5093d7aae236ec6a901b

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSVn9:uiLJbpI7I2WhQqZ7V9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      16.exe

    • Size

      469KB

    • MD5

      7d44c4da90227ff04873e74604d4b51b

    • SHA1

      60d4bc726400f4ddd83ddd36c9bc3882ab3eba9c

    • SHA256

      9a9adf67ee1043f43eb437e10d63505051fb56c33c741879dcbcb98c78885e76

    • SHA512

      03f2a600937a7535515f377c9a10f508061af0a1d5ec932acf85de901fcaa43c2a6b2384dbff39261b40ccd62fa57e658d96a4f85ba415eb5de93c80201d9a81

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSyn9:uiLJbpI7I2WhQqZ7y9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      17.exe

    • Size

      469KB

    • MD5

      44ac1dfd7a50938d27a187cfd2d1d6f6

    • SHA1

      8b4b107f3c89e6882ece16ab4d41518131c4d57f

    • SHA256

      81fc8c39bd528cc4254d93f3f3c5757bae4a05f34cbd8a48d851b9197cbafe75

    • SHA512

      9247522fdf1f4e5d389f6068f87cb6d0205e9b16a34f21181be18003643f704a6ea222532d7186404ae628011f4674e72c598d31a4b3ae6f00e0f2d07929281e

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS/n9:uiLJbpI7I2WhQqZ7/9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      18.exe

    • Size

      469KB

    • MD5

      6d24df24ca53f7c976d8d8bccc03777a

    • SHA1

      af23e6773c088cc55d32bcc6a23b637a5d3b8ff9

    • SHA256

      d1dd4f16d4b190d9fa1310fa43168659ab3586bdaf20e89363043d99d9e2a954

    • SHA512

      9935213e36576677a7e2332be05557e56f50828779f32343ca5dec7f2f413e1c7624b33bd6340ec465d45e3f031717a988797763a6cdad1f1c9632db308cb397

    • SSDEEP

      12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSwn9:WiLJbpI7I2WhQqZ7w9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      19.exe

    • Size

      469KB

    • MD5

      acfb691b2877f1ecb639bb3e7c5e5493

    • SHA1

      d9883a6b7ff1a43f94c5de0e1a80af7d36a39e73

    • SHA256

      b81478ef251a0cb9a8d97b52f5137a41a550ffd6083c6203767f2cc5567e0cf4

    • SHA512

      af61993d8e20d9a1306ee76a330d9bb7ea0f21adb258dfc987647649fc4ad514b0bb48a12b85a56975c2e30f55994b2544375978f60f2894958e1c04bce0fadd

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSLn9:uiLJbpI7I2WhQqZ7L9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      20.exe

    • Size

      469KB

    • MD5

      da31b3ac7c6dbdc7cff96b4a1e3184b6

    • SHA1

      4dc91cbb417c7ede59aef8cd7b160b0e1859a8ef

    • SHA256

      f5087001c6a93bb8ee4871dab150715e4e5050ea6b4b39e201d9944f598a4549

    • SHA512

      3364db57258bc63da9eea0d1592f387935eae74d69fb0d8f278868484e60af36ab5535d292ec492311119e20df0a1515d879444781ed96148fca26284a595d93

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS7n9:uiLJbpI7I2WhQqZ779

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      21.exe

    • Size

      469KB

    • MD5

      3e956e574416f454cba5992573dc600d

    • SHA1

      5a23a20fb4c640cf7b1746ac7db8d0b3409ebad7

    • SHA256

      6fb3044131ebdfa041cc6ef722d69e202c610d3211f7c95dcb4ce9c868086ef9

    • SHA512

      9fb611246356b3261f3b2352cda2b4892842a6ecd2b6c7ad11f1c3d5e0523af3251823ce7c79cdddcf463b594040eb34025e99d2b4b01dcfcef6fa17d9ff61d5

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSHn9:uiLJbpI7I2WhQqZ7H9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      22.exe

    • Size

      469KB

    • MD5

      ea99efb202c5625280d0d4140c2cdeee

    • SHA1

      5cf3bb2872c7c46725e9e236f8bead59a8786a55

    • SHA256

      6823bc23bae3dcceee8b122d5ab49c71adc32f5f8cbfaddd0f6e361dd5be17f3

    • SHA512

      bde3e441ff858872069d236a292313883ca3698e49b821af2a805b82e1e861ac9af5235d61db795fe47b5b97e11a687ef5fa8cdd8dc709ba63f6e595cf265537

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSKn9:uiLJbpI7I2WhQqZ7K9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      23.exe

    • Size

      469KB

    • MD5

      68b1b3afe4f835f0152104fae7fc9af4

    • SHA1

      138e8548a38eaec24aec240daabe1ffef291bb23

    • SHA256

      4249998dd18957a8b104d1cb108271df9be27c745089c60a302445a659d68f9b

    • SHA512

      0dbbedbdd7944ca537121d58057249086b609a08af12c7ad26eb4b71b00e35cf7e243179c6cafe1c32b7ba550b4d82551fc97b2587823ef602cdc5de4f065ea3

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSFn9:uiLJbpI7I2WhQqZ7F9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      24.exe

    • Size

      469KB

    • MD5

      936f01333e0ff8de6f821e69901b815c

    • SHA1

      e7b64d55bebfff003b7b0c5ecfd5c301b676fbee

    • SHA256

      b47c6fece1bae3a1310a5c676b2c361b98fb6f8639354d7e606138ab3f7f6a84

    • SHA512

      fddb4f6c7f91717a32469ea2b6832390266bb99418ea1c28d87f3511a44ad1a92c4badc9c3e30368f665cbc519bc71cd27f5871e0c3ab8d30d39695c5cb925d0

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSwn9:uiLJbpI7I2WhQqZ7w9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      25.exe

    • Size

      469KB

    • MD5

      481d7c33a69366bd777a031b9b91a801

    • SHA1

      1f0d466674b4e61a056c5e1c42eeeb24ab38c3e2

    • SHA256

      6bd339cbfca8e0d4b4479448484e49cc5c2aa5dce974df976b920e5dff3b621c

    • SHA512

      d36fb6ba206dbbcae5fcad10b5f0bf85dda95d6bf8aa70696442d480825e57911e096d1e4ca22e1e30d3fcd5c76661770260112ea97a8c11755601c6bcbcf9b3

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSZxn9:uiLJbpI7I2WhQqZ7Zx9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      26.exe

    • Size

      469KB

    • MD5

      28d56fab1b3efb0f011a19c444a60294

    • SHA1

      d524d638b117474626167843da381a2fac9c7e82

    • SHA256

      2175aac70ddcf1fd3cb0754dd7d4f4489603775542fcee3e34d129097f106d4e

    • SHA512

      e814be8e5b5ffb97112f911ff2bb4d4e02e5b041071c429a5880cb926c864abd8dd3beffa362f6f3e02aab7a8f4a400c1981c529b2a1ce892445e81f9cc34079

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSGn9:uiLJbpI7I2WhQqZ7G9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      27.exe

    • Size

      469KB

    • MD5

      50762a7fb96e6cc6d9d7dac5e72b0420

    • SHA1

      c25ad257cc7e811df3631b2513d2c4d99841178e

    • SHA256

      3f3da8c743e76ab61e561a0e11f7da247efa0ec3794ade5104b9a8e075959469

    • SHA512

      2465ba858f4690cccab322f67c89f0bc3bc34697c4b3c9d51ffa35218db61a6ddb29c4faa04213d40e25c01a86671d4b1bafca40198d96d8d8a36c6c72e60152

    • SSDEEP

      12288:Omnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSSn9:2iLJbpI7I2WhQqZ7S9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      28.exe

    • Size

      469KB

    • MD5

      48f6ed471a143ec2828abef5f829feef

    • SHA1

      555b7dacda983ff37e1c91f5cb1fe9e73509df12

    • SHA256

      d872ee79caa9d8507f59c0d5470119b0b55d4d7ddb9bb58b9ac149fe83ee1b4e

    • SHA512

      0dc46dc03db985377044f0c010437092cd9bff02eb7d6b889c9bbe2e860c9374f1f1d13c1f05e178c0a5842e0cc356817e5e852ecc5ba23087c9ad96f9beb65f

    • SSDEEP

      12288:Omnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS5n9:2iLJbpI7I2WhQqZ759

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      29.exe

    • Size

      469KB

    • MD5

      005e189f952f414b57eb0b5dc2af0972

    • SHA1

      eacffecece329fe6fcc1d27901b162eafc53ead4

    • SHA256

      7a44e3ba02c24ae328d039071c736662b0739e15046c4dec11f4ad575e71b657

    • SHA512

      50b414a5649c1b619ecc104abc83fd3f4f115c01642166b375427855852608f4f89a0ebe97ddb8a1e6e6d24cf5edab6dd9744d28f664dfc6ff8db144eb8aaf55

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS/n9:uiLJbpI7I2WhQqZ7/9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      30.exe

    • Size

      469KB

    • MD5

      5d2b4474b0e1afd17f12ab2441897c2d

    • SHA1

      89d743eeef1e61dfdd24a285216d0272e4c02392

    • SHA256

      998d74008e3c7797d5d810e53582b8a60ed9866b9502ee35353d13ff69538e4e

    • SHA512

      18c9d687792942566acd3865a6ba3d21c2ae3367fc418ba1f048a7efbee6f524797c7502f11930f9a568d0e1bde5806fe92b4d53448e2e605d837be16c7e4040

    • SSDEEP

      12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSVn9:WiLJbpI7I2WhQqZ7V9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      31.exe

    • Size

      469KB

    • MD5

      0dbd59bfbd65fda77ff08a46cdbc9964

    • SHA1

      a9de7ff8a35204bb79b00c14423f0c3f2190d02d

    • SHA256

      4d8258f71590e8685588085b5aff998ed23c1663a55f25a655c8853dd7b78854

    • SHA512

      8476b4f6c399f2c7505b0935e74cb69f1905f0ca6f237cb2e3c084782949feb04e3431cad4ff8babef70689c170180c43deeada00eaf95d718cef55a52fbcaa5

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS1n9:uiLJbpI7I2WhQqZ719

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral22

    • Target

      32.exe

    • Size

      469KB

    • MD5

      8e51611964d22c5d098f85e52baf9b71

    • SHA1

      968ea8beef406c4f0c840d93860ce390c582c378

    • SHA256

      3c76e410631be8376d85efe19bd036356409aa3c41b36a84b600d9bdcf343b7a

    • SHA512

      c9fe89f4789cc9e2a69f0051046757f76bb285fd32ff1494fa99069e29da02ad2d2252550237f3e60da04cd2534c39019d0ccb39b2ec8a2e443026a7fa50a98d

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS+n9:uiLJbpI7I2WhQqZ7+9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral23

    • Target

      33.exe

    • Size

      469KB

    • MD5

      365863c1cd115fab7c9caeb03deb89ff

    • SHA1

      6314e754bccf84003d96eb0132ef36e7debbc8a0

    • SHA256

      1b09cf4f25c56df8847d7a48809e05e242be4a2d597df572727ecd92dc851463

    • SHA512

      69b5724b01867f75c30913beccc0ab09ababc0d71da1a9594650593568c69af5b1206fd35ec67d2dd9f7b68b3edd74e56ba32d8f4060b68cc6fdd8dddcf08320

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSnn9:uiLJbpI7I2WhQqZ7n9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral24

    • Target

      6.exe

    • Size

      469KB

    • MD5

      ed46a60b3ab3ed2f7e4946b886645683

    • SHA1

      1bb3f72adea15112e88bf9b128ffab9ad0c7565c

    • SHA256

      bf35f65283daead9ce829b894c0323e1e25a53f4d7728bd92c98c868b721c084

    • SHA512

      6fd98800f1cad2c71f201c78ab0d9145aeb7c79ba1b424495e19dcd53638497768aa126c7b06e2cd95f380066995b1cef3c858e1257b3a6c997f0c160e09ebd3

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSDn9:uiLJbpI7I2WhQqZ7D9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral25

    • Target

      7.exe

    • Size

      469KB

    • MD5

      dc8e165fdff950b379ce9705d4690b5f

    • SHA1

      1457cd39b3698f41707e11834140394f8b5963d4

    • SHA256

      b6fcfdfd823157dae98956ac4ab36ea36b723b572c792b54433285875aa6b57c

    • SHA512

      4b8dd39e8d1029a7a848ffa48340e87f6a404d18868a87c03a0baefc863818eb2d5b2c89483afd1acfd1a2960409aadf032cefafc0a9931a2ae45319debd4a36

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQS1n9:uiLJbpI7I2WhQqZ719

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral26

    • Target

      8.exe

    • Size

      469KB

    • MD5

      334591959537b089b4d7df4f475d7cfb

    • SHA1

      195a47356865bcfe3ef914d54d8b8c289e1ad5b1

    • SHA256

      545f62dc616ea43135a5addcb0236bc35283cb7779a6d1c255869f916ddfe55e

    • SHA512

      ff04a03c72943c84485a1610dec40d8161252b1bdea795bbf87e0e9f8032e2bd09f5b3e897c0f93447c875dd6d5ad08cb53d348a08352a592ce05dca363b99f8

    • SSDEEP

      12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSXn9:uiLJbpI7I2WhQqZ7X9

    Score
    10/10
    remcosremotehostdiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral27

    • Target

      9.exe

    • Size

      469KB

    • MD5

      29f5cb0a23bce81dd8b3c66047e37cd5

    • SHA1

      4c7a62171bddca7a8605a28f3d611bb77903907c

    • SHA256

      25871f62c403fe5f615c5f04412d0f6d2c60e171d30d16299d3882c7cf87934e

    • SHA512

      ff576dda3d1ec656a5e4796cccfbb08181f2d67665e96c50aa095f1cedf7c337ad07ebfd96a7c70a8d2dfe01728ca235c80cd6c717ad48f9a627d56251edd61f

    • SSDEEP

      12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSen9:WiLJbpI7I2WhQqZ7e9

    Score
    10/10
    remcosremotehostcollectiondiscoveryevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral28

MITRE ATT&CK Enterprise v15

Tasks

static1

remotehostremcos
Score
10/10

behavioral1

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral2

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral3

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral4

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral5

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral6

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral7

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral8

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral9

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral10

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral11

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral12

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral13

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral14

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral15

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral16

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral17

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral18

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral19

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral20

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral21

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral22

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral23

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral24

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral25

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral26

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10

behavioral27

remcosremotehostdiscoveryevasionpersistencerattrojan
Score
10/10

behavioral28

remcosremotehostcollectiondiscoveryevasionpersistencerattrojan
Score
10/10