remcos

General

Target

證據_89004161-000002102-66_20241128·pdf.vbs
Size

33KB
Sample

241128-vvvf6stqbv
MD5

b87c82bba48c44f8fc387ecd6100ff0e
SHA1

2cdcb7b8b4f5a8b0501a121b6b4264aa7c6b2f57
SHA256

20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509
SHA512

442d105706dcc997c39a141d7a944bbb961e8948d15caee81814f1a6d6245e46b00bf98e893c1623bd92b12b1ac440432fd26f4fd9166c5ffea8ac9a575af189
SSDEEP

768:5KSasMUqkx36r142byXNoPNhZqpCtHki2ynMVVX09rkFJC:ISas/RF6hWyPN/MbZ09oFM

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  證據_89004161-000002102-66_20241128·pdf.vbs
- Size
  
  33KB
- MD5
  
  b87c82bba48c44f8fc387ecd6100ff0e
- SHA1
  
  2cdcb7b8b4f5a8b0501a121b6b4264aa7c6b2f57
- SHA256
  
  20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509
- SHA512
  
  442d105706dcc997c39a141d7a944bbb961e8948d15caee81814f1a6d6245e46b00bf98e893c1623bd92b12b1ac440432fd26f4fd9166c5ffea8ac9a575af189
- SSDEEP
  
  768:5KSasMUqkx36r142byXNoPNhZqpCtHki2ynMVVX09rkFJC:ISas/RF6hWyPN/MbZ09oFM
Score

10^/10

remcos remotehost discovery persistence rat collection credential_access evasion stealer trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2