Extracted

• • Target

    2bfe76169602cd81c584da62335fd8f3bd94a8693e20c9fb2f1f3dfa5cd43130

  • Size

    1016KB

  • MD5

    907f9ec00dae9c158416379d2b961bd6

  • SHA1

    40bb66f564f34037a25cd55e0a6da67abe09d7c0

  • SHA256

    2bfe76169602cd81c584da62335fd8f3bd94a8693e20c9fb2f1f3dfa5cd43130

  • SHA512

    67c95bfe6dbf36d9de67159f43a5f437ea818cec18502fac8cfc657abe5457980bf3037fcec4350487385d7a8047d7df9018cc7a93757787ee31e1b234fa4b05

  • SSDEEP

    24576:I/fiNRFxKsPwGuRWNoYPe+7injApBoQ81RzC:I/KDzlwJoyYWW8AAlRzC

  Score

  10^/10

  remcostonycollectioncredential_accessdiscoveryexecutionratspywarestealer

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Suspicious use of SetThreadContext

  behavioral1behavioral2