remcos

General

Target

3951abe6ee77d826925100ac26070ddf26a2656b6186638e36bb5e1ca5f1499d
Size

1.1MB
Sample

241019-yw4b9ayann
MD5

2af81b68621ad1719fbb39b9868961f0
SHA1

ab72ef6237c1caf86fd2f2a8797fc2a9ca564b97
SHA256

3951abe6ee77d826925100ac26070ddf26a2656b6186638e36bb5e1ca5f1499d
SHA512

3c8312cf52b529fef1dd1dd5e5a46d0cd6d143849461d2ce9b4ad166a2a6bb8584de864b6602285bd100618c82c37c5098be25497f295626e1dbdcdd63bc8d44
SSDEEP

24576:fZ14fU7QnNJpWXLpeQahTD9e1Qw9j+rvfO+bpBdGgeUWUO:34fU7QNJ6F4gd6rfhbHdLeJ

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

slaves

C2

windowwork.duckdns.org:1985

84.38.132.104:1985

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I19NP0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  3951abe6ee77d826925100ac26070ddf26a2656b6186638e36bb5e1ca5f1499d
- Size
  
  1.1MB
- MD5
  
  2af81b68621ad1719fbb39b9868961f0
- SHA1
  
  ab72ef6237c1caf86fd2f2a8797fc2a9ca564b97
- SHA256
  
  3951abe6ee77d826925100ac26070ddf26a2656b6186638e36bb5e1ca5f1499d
- SHA512
  
  3c8312cf52b529fef1dd1dd5e5a46d0cd6d143849461d2ce9b4ad166a2a6bb8584de864b6602285bd100618c82c37c5098be25497f295626e1dbdcdd63bc8d44
- SSDEEP
  
  24576:fZ14fU7QnNJpWXLpeQahTD9e1Qw9j+rvfO+bpBdGgeUWUO:34fU7QNJ6F4gd6rfhbHdLeJ
Score

10^/10

discovery execution remcos slaves collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook accounts
  collection
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Tekstkonstanten.Fin
- Size
  
  52KB
- MD5
  
  b7100b439da004e306b332532e9697f0
- SHA1
  
  923b22694140ea4707ca2b40d08d967a6ef0bd0b
- SHA256
  
  4ab525ad237617513c28f375eb23f6dba4147d348ecc00938ce63f4fb8125b94
- SHA512
  
  9c4752ea813ee232da955763462c9c6ed2df11480879ee791f2522fe26e7379142ac58088541ec7dfd0573bb33485a38e5eee699270b804d115ebdfbcd6b060c
- SSDEEP
  
  1536:u9Kg2/eZoqNY0AEmfYF10jP7bBfGy1Vg3IEY:3gQec0sgFKz7bgy+IEY
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4