Extracted

• • Target

    f23d4cf3e391da8f6a154caee6ba5bf06242bc3591c0848d00546fa5706b6056.exe

  • Size

    1.1MB

  • MD5

    70a40446480a404cd51389a61910da94

  • SHA1

    607fa7d17fb197a5de8deab8beb537dc6d19dd5d

  • SHA256

    f23d4cf3e391da8f6a154caee6ba5bf06242bc3591c0848d00546fa5706b6056

  • SHA512

    77a5013512f79842f4ab7da66f7dbc07eef2715da178462c85ebf6b3d68f7d126f679f5dcd5a1490e793cb9a65d5c25474b973626838877e438b87c46ba0adb6

  • SSDEEP

    24576:XTbM8vhEjkGD+JV9SQTOk/t1nkNzE681ZWsxT:+lKJjn1tZkyRbjT

  Score

  10^/10

  remcosremotehostcollectioncredential_accessdiscoveryexecutionratspywarestealer

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Suspicious use of SetThreadContext

  behavioral1behavioral2