remcos

General

Target

INTECHRFQEN241813.exe
Size

682KB
Sample

241202-r8eq4atqbl
MD5

f9848165fbabe0f8b34fb5d830b2fecc
SHA1

2c53840921153910eb84270e4e12d07e82b1451d
SHA256

a19b171658151c4a4af32dd17474a8184cc37a0d99138ae540177e15cebd9093
SHA512

6dac265560ea2e03036a7737862893695ba512d2e9084325db0f1a56ba8022bd5ce4fd98fea4c515e9536e4d41a8f8845abfee128856640e374ec5055af4837c
SSDEEP

12288:7++g+++++++++++++++++G++++++++++++++++++++K++++Ubv+++++++++++++2:7++g+++++++++++++++++G+++++++++o

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

69.61.31.229:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EPE0FD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  INTECHRFQEN241813.exe
- Size
  
  682KB
- MD5
  
  f9848165fbabe0f8b34fb5d830b2fecc
- SHA1
  
  2c53840921153910eb84270e4e12d07e82b1451d
- SHA256
  
  a19b171658151c4a4af32dd17474a8184cc37a0d99138ae540177e15cebd9093
- SHA512
  
  6dac265560ea2e03036a7737862893695ba512d2e9084325db0f1a56ba8022bd5ce4fd98fea4c515e9536e4d41a8f8845abfee128856640e374ec5055af4837c
- SSDEEP
  
  12288:7++g+++++++++++++++++G++++++++++++++++++++K++++Ubv+++++++++++++2:7++g+++++++++++++++++G+++++++++o
Score

10^/10

discovery execution remcos remotehost collection rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Accesses Microsoft Outlook accounts
  collection
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  bodaciously.com
- Size
  
  483KB
- MD5
  
  cefd6013afc5b344f2098a8c9b22ce99
- SHA1
  
  19c213459547219500a2782bbae1bc0300059380
- SHA256
  
  9a2d3b9170e9350d0ed2190cf1d5be3cfa2f1f9f01557eea01e32dfc095ddc87
- SHA512
  
  45a3dfc074d513240da581a4bad1201e3c62746db834d2baf6d1c9c5e790bf3d897070def5d2ae89204e28d8ad3ec797eadb29aa525b1e32623e1d8af432f8cc
- SSDEEP
  
  1536:D7Onm2cYM4aJjCAp1oBndvi6AZ8i5xUqpQKCeHKuj4:D7OpU1WdNu+Ww
Score

1^/10
behavioral3 behavioral4
- Target
  
  radials.Glu
- Size
  
  52KB
- MD5
  
  48bfb2d69f3a797169c8b44b71e7bb6a
- SHA1
  
  2a3e1bb359707f2ad6325b2f8520e95945ebc6fe
- SHA256
  
  95da5b6aa5c574eda69ebc3c020ad6163faa508e9bb37dd42f9b4290adc61ef0
- SHA512
  
  688344cc79016b6678acae2a4302b945f81cf5f9abc81b9c783b2d94381d11d4c3b8d2d066452be8ea21c8312cdd3ef59d4a41d0f95496a072a071c8dadbaf1d
- SSDEEP
  
  1536:ZazzEOZZXf8+7oAvmHg2lpTccbx978aGaDm/:Az4gZvp7u7pfbf7IX/
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6