remcos

General

Target

COTIZACIONSyCONSULTA#46789NOV24.bat.exe
Size

696KB
Sample

241113-h6m51sxdqh
MD5

9481aae46f5f383c4cf6e5b3dacd68b4
SHA1

580a6fc8fb6c6609cfcd356e9894cdb5318135ee
SHA256

857596f38c587a4a832bdd9136cc593ab7073ca3bda87b513e4e13ee31af0a32
SHA512

ecc96befec7561eb4e5320f22f48d6fb0ddf837a8ba1eee6b823a80ff81b874f8553ef83001612d31d7a3b4a441e1fed2664ed40e10c72efca8e95a0da1c0b90
SSDEEP

12288:z8bn1Tfr3YmR1j+uP30YcUbA3pPru8escoGcZhAkFN2ZTyWy0ctqhm2V7P:zun1XdRV+u/Lcj3pusccAgN2ZT1HI2VD

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

SLAVES

C2

windowslavesclient.duckdns.org:1604

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-J3MJAP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  COTIZACIONSyCONSULTA#46789NOV24.bat.exe
- Size
  
  696KB
- MD5
  
  9481aae46f5f383c4cf6e5b3dacd68b4
- SHA1
  
  580a6fc8fb6c6609cfcd356e9894cdb5318135ee
- SHA256
  
  857596f38c587a4a832bdd9136cc593ab7073ca3bda87b513e4e13ee31af0a32
- SHA512
  
  ecc96befec7561eb4e5320f22f48d6fb0ddf837a8ba1eee6b823a80ff81b874f8553ef83001612d31d7a3b4a441e1fed2664ed40e10c72efca8e95a0da1c0b90
- SSDEEP
  
  12288:z8bn1Tfr3YmR1j+uP30YcUbA3pPru8escoGcZhAkFN2ZTyWy0ctqhm2V7P:zun1XdRV+u/Lcj3pusccAgN2ZT1HI2VD
Score

10^/10

discovery execution remcos slaves collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook accounts
  collection
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Hypermyotonia/Selvskyldnerkautioners166.Ove
- Size
  
  54KB
- MD5
  
  dc17cbe567137cd2180d5d9008408c1b
- SHA1
  
  f6d6cb48deacb371ae5e948b614216411a957b8a
- SHA256
  
  a39ec711eead243210ca0061a2b0365b86f40b5114a4a17286960a36c668053d
- SHA512
  
  64bf594a0cee26fbdfafac1d552a7ab4dedbc566fa58d4af1c3bc22a6d11814e0511daed2cb8725b7d3c0a91765a980b2ebc4836c09fad159282db01edb64833
- SSDEEP
  
  768:Yl0M2fXsstjro7/vPAGoffMSMNg8NvcJ4b0UnCJTyOOLqOAPRJi4FQmJQKJa8TDS:Ylr+Je7XAGIHMN7c9O/0q4X7DkKc
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4