remcos | e3002686e84595d78c1fffef1f503e4adf4b5cd82ce43a439e6b58c3d8cefb09 | Triage

Submit
Reports

Overview

overview

Static

static

1

Payment Ad...df.exe

windows7-x64

Payment Ad...df.exe

windows10-2004-x64

Sharing

General

Target

e3002686e84595d78c1fffef1f503e4adf4b5cd82ce43a439e6b58c3d8cefb09
Size

903KB
Sample

241121-lgr98azhjc
MD5

eddbb1a71598188894a8f81e37bda0d8
SHA1

25ac1a603974c1f4071ea1e05906fdf6e91018a5
SHA256

e3002686e84595d78c1fffef1f503e4adf4b5cd82ce43a439e6b58c3d8cefb09
SHA512

5e2386197e4b073f43f805a827c71fb52bb514102472ea219f349fb827d37a6cbc6179bf5a0e0cdd9e9656232f6b25ce2ae355224fa9f4a420d793e070b11b81
SSDEEP

24576:fPyk7le/GVpfsLU/9Fl5e8UYD3tgbo9ES4jKOn:fPyOo/GV1jFL1tjz4jR

Score

10^/10

remcos remotehost collection discovery execution rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Payment Advice_Chase Bank.pdf.exe

Resource

win7-20241023-en

remcos remotehost collection discovery execution rat spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Payment Advice_Chase Bank.pdf.exe

Resource

win10v2004-20241007-en

remcos remotehost discovery execution rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

204.10.160.239:9682

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6D4L9S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Payment Advice_Chase Bank.pdf.bat
- Size
  
  997KB
- MD5
  
  e9abe92824035cd098547ef4e5b55b66
- SHA1
  
  627f264d13e0e0b7bdc3fccde16e1ef295605bce
- SHA256
  
  b068030645860377782553a0afc3375824b11c827120888c3792b794de864232
- SHA512
  
  ec1229a55357071954f1f935515d0a2b0b260d2be1c33a37e22b1ba0f962dd99d65d5a5b1f5b3c3fcbccb6757bd668ad1567b9b6cc05388871ebd268024490f0
- SSDEEP
  
  12288:253wtfRzxWWoG2eNY27HpUe/dhWIp6JVbTp4vfpAtk5FabwLYGwD3Mcg34La+FYK:25MpzxWJRar/dkIIVbTpst2wT68j34Go
Score

10^/10

remcos remotehost collection discovery execution rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcollectiondiscoveryexecutionratspywarestealer

behavioral2

remcosremotehostdiscoveryexecutionrat

© 2018-2024

Terms | Privacy