remcos

General

Target

5a7a7f395371aa848157cef116e5d86bb7299c8f5859c9f25704175cce61821c
Size

672KB
Sample

241112-hq6mesxdrj
MD5

866cd07383365ef857f9367426ae6ed5
SHA1

eb964d971a519240f7661f4580180c946af0cd49
SHA256

5a7a7f395371aa848157cef116e5d86bb7299c8f5859c9f25704175cce61821c
SHA512

11b44fcc810a0bd8c64e4037dceec65b53ffb842b0bf198185e1f00a47a877cacc5fadfec1db0c7b2fd4393ee493918c8551682ec53f9eacde6acb2b103e435a
SSDEEP

12288:RowNzy8E9FxWtz28J4wGUvlYn0kbdEty1RAmjXUAEFoxBx8WtNADZZeb7EkOm:Bg9F4l28J4wGEun0DtdmjX1EForx8jf4

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

ReBorn

C2

gerfourt99lahjou2.duckdns.org:3487

gerfourt99lahjou2.duckdns.org:3488

gerfourt99lahjou3.duckdns.org:3487

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
ksaourts.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
ksajoutr-WG0CPT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  DOCS MENEN Gebrüder Weiss.exe
- Size
  
  699KB
- MD5
  
  63d2f97a6de92084873293a617e685db
- SHA1
  
  423997f0830a1f833d7c1e6b615ac84850b298a1
- SHA256
  
  a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99
- SHA512
  
  2954eb36e39cbfa18c024dae9536d42b4f2eecf16bf3db623e0efc3f1a7ba02f9df4a1831abb4315b03b83c7497278b10f8001ea484cc31da8352f265f214743
- SSDEEP
  
  12288:E3cAEjow+kXtp28J4cGUhl+n0kbd6t21Rwm3+9rtQEFoxB50+tNADhZebeEkO/:E3cAEjow+kXf28J4cGeAn0Ttzm3EruEa
Score

10^/10

discovery remcos reborn collection credential_access persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  12b140583e3273ee1f65016becea58c4
- SHA1
  
  92df24d11797fefd2e1f8d29be9dfd67c56c1ada
- SHA256
  
  014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
- SHA512
  
  49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a
- SSDEEP
  
  192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C
Score

3^/10

discovery
behavioral3 behavioral4