remcos

General

Target

11309-電信費電子通知單·pdf.vbs
Size

33KB
Sample

241129-k5la5sxkes
MD5

8f747ba4e105ce33a0231ed1eba4d216
SHA1

dd82148b15070781c7412c5abcbb93e727085936
SHA256

26ad41ff15319981a72e1a8e681c3c74fb011583eda81619f4cdf531cf5e221a
SHA512

ea03c366ee9f3e9fcff7afbbb52d41863a582e91c37694d5d37a07025c66966f0f487e4458c3a2aff8ee96bc1e5b6184fd3a4030b61589d1cc74b9c07be6c079
SSDEEP

768:ccuasC3UUmhgcFxKp70GNXaNDkJhZkPkqGM1ZVV1cCirNpVW4:VuasOmGS87NK9kJ/GpBPzcCiz

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  11309-電信費電子通知單·pdf.vbs
- Size
  
  33KB
- MD5
  
  8f747ba4e105ce33a0231ed1eba4d216
- SHA1
  
  dd82148b15070781c7412c5abcbb93e727085936
- SHA256
  
  26ad41ff15319981a72e1a8e681c3c74fb011583eda81619f4cdf531cf5e221a
- SHA512
  
  ea03c366ee9f3e9fcff7afbbb52d41863a582e91c37694d5d37a07025c66966f0f487e4458c3a2aff8ee96bc1e5b6184fd3a4030b61589d1cc74b9c07be6c079
- SSDEEP
  
  768:ccuasC3UUmhgcFxKp70GNXaNDkJhZkPkqGM1ZVV1cCirNpVW4:VuasOmGS87NK9kJ/GpBPzcCiz
Score

10^/10

remcos remotehost discovery persistence rat collection credential_access evasion stealer trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  evasion trojan
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2