remcos

General

Target

RFQ448903423_MAT.exe
Size

738KB
Sample

241112-wqv3ksyarq
MD5

2e24786e3a50dddc9e8044942ed76557
SHA1

fd17c905199eaa0933fb9b78b45ca0c4e87c787c
SHA256

ccacb1863cfc340af0f45f145ac924ac57907cfadb199f8ba84c6429c43bba28
SHA512

029375abc32bfd0495334a893682a31ccfeb2251b0d5c64f99cd2b6e6ce96eb10359fbf00b598279f6d5b896ee75da0f3a092f9de610be9b9c33ee23a4a040b3
SSDEEP

12288:oyoqBI5daGf9SVr5Y91FmGe1C1scoGcZhAkFN2ZTyWy0ctqhm2V76:oyocI7aGf9mgjmPSsccAgN2ZT1HI2V76

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Clients

C2

windowthankyou.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0OEGFQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  RFQ448903423_MAT.exe
- Size
  
  738KB
- MD5
  
  2e24786e3a50dddc9e8044942ed76557
- SHA1
  
  fd17c905199eaa0933fb9b78b45ca0c4e87c787c
- SHA256
  
  ccacb1863cfc340af0f45f145ac924ac57907cfadb199f8ba84c6429c43bba28
- SHA512
  
  029375abc32bfd0495334a893682a31ccfeb2251b0d5c64f99cd2b6e6ce96eb10359fbf00b598279f6d5b896ee75da0f3a092f9de610be9b9c33ee23a4a040b3
- SSDEEP
  
  12288:oyoqBI5daGf9SVr5Y91FmGe1C1scoGcZhAkFN2ZTyWy0ctqhm2V76:oyocI7aGf9mgjmPSsccAgN2ZT1HI2V76
Score

10^/10

discovery execution remcos clients collection persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Jumblement.Kar
- Size
  
  50KB
- MD5
  
  5f22e57b55aa6e31d0606fa12e0ee584
- SHA1
  
  e83cf829d2d46ce8a16f117a437a32ad63c1173d
- SHA256
  
  0fd8188279b05a111878389f3fe41f48f28d27249560005ae6977b0e8fb137b2
- SHA512
  
  7c9ed6698e7e593597c92169c5ea97447b786439c09f33e26877852fae74dbdd8082c463baa3f5fefea9b3bb05014999389ec8f306e055ed5c99338fe0335900
- SSDEEP
  
  1536:FfJI40kmkpIZNOVdVbTdiU0J/qK2ROiuBhJ9L:FfJ6lkqNYs3eO//
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4