remcos

General

Target

733e47fd70fea7d93b7093c5e859c0abb2e54f338c4f256791847dc3b1a5349a
Size

1.1MB
Sample

241130-at9jgstqhz
MD5

a57b7e38d1765b7f08587a7d9004894b
SHA1

d4e8d9a1de6621b4ec9a8c4fba962b7f7b53221f
SHA256

733e47fd70fea7d93b7093c5e859c0abb2e54f338c4f256791847dc3b1a5349a
SHA512

54aeec3eba54e56c26ed31107e65cda1b594b6d054823e6f10a3f1509c3943b2fad8dc4cc3cffa0df731bd312eeb1e43589b0d610dcdda628be19599a6e52f82
SSDEEP

24576:6qvk/2pbAX+MRzZeIeKK2gOSAt4hI+KXb:zvkO5AFzAN0hSAt4oXb

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

ECHE

C2

85.31.47.62:45356

127.0.0.1:45356

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AEO8MN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  733e47fd70fea7d93b7093c5e859c0abb2e54f338c4f256791847dc3b1a5349a
- Size
  
  1.1MB
- MD5
  
  a57b7e38d1765b7f08587a7d9004894b
- SHA1
  
  d4e8d9a1de6621b4ec9a8c4fba962b7f7b53221f
- SHA256
  
  733e47fd70fea7d93b7093c5e859c0abb2e54f338c4f256791847dc3b1a5349a
- SHA512
  
  54aeec3eba54e56c26ed31107e65cda1b594b6d054823e6f10a3f1509c3943b2fad8dc4cc3cffa0df731bd312eeb1e43589b0d610dcdda628be19599a6e52f82
- SSDEEP
  
  24576:6qvk/2pbAX+MRzZeIeKK2gOSAt4hI+KXb:zvkO5AFzAN0hSAt4oXb
Score

10^/10

discovery execution remcos eche collection credential_access rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2