remcos

General

Target

VID-202501190942.uue
Size

1.2MB
Sample

250120-sdsvxavmcv
MD5

a9bb0a60f69ff02255013724f3a53af7
SHA1

1f66252a7400d1f190050cf1ece582a837a5ed7c
SHA256

2afce120f76ed24a41e04c899f841893e821fcd33120e60988fb19d20c09f14c
SHA512

a339de76e8aee0e9e05749cc3e4738c7db117989efd1c16f3424573d7198f29be7e8027501c4ca0b7765d9fa518df33f47d62b75c2dffaf344ea0f178eb41d24
SSDEEP

24576:1UbKuzZaiyIMlrpug0YcJ/j8obJ/sfN3e1+zoUbKuzZaiyIMlrpug0YcJ/j8obJe:1Uzz/gl1VwXF/sf1eMsUzz/gl1VwXF/2

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

16465-Bare

C2

rem.oceanchemexport.co:16465

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-926GGP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  VID-202501190942.exe
- Size
  
  826KB
- MD5
  
  903444ae394ffaae2785efa7de12e44f
- SHA1
  
  7115d8f316263a94d0373c478bb03ecf70682fa2
- SHA256
  
  f00ef6cb0fffd162e4a57c26c64e1163fb0f2b1361bda56112da4f201fe260df
- SHA512
  
  1d82bf46b52d1bc9cfa759e324b3945f6eb715d8be7cbc8f3ec6e454750a0ff095e97ef425abc5020b75aa74efeda4aea358a8b37d1ebe9ac1ac3fa5bfe8f88c
- SSDEEP
  
  12288:JiCPnAdfah9q6RNxBQBcmBmozOI4zxaztFn53741q/I1NW:RfAdfah9qgBQcKr4saq/I1NW
Score

10^/10

remcos 16465-bare discovery rat collection credential_access stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  VID-202501190955.exe
- Size
  
  826KB
- MD5
  
  903444ae394ffaae2785efa7de12e44f
- SHA1
  
  7115d8f316263a94d0373c478bb03ecf70682fa2
- SHA256
  
  f00ef6cb0fffd162e4a57c26c64e1163fb0f2b1361bda56112da4f201fe260df
- SHA512
  
  1d82bf46b52d1bc9cfa759e324b3945f6eb715d8be7cbc8f3ec6e454750a0ff095e97ef425abc5020b75aa74efeda4aea358a8b37d1ebe9ac1ac3fa5bfe8f88c
- SSDEEP
  
  12288:JiCPnAdfah9q6RNxBQBcmBmozOI4zxaztFn53741q/I1NW:RfAdfah9qgBQcKr4saq/I1NW
Score

10^/10

remcos 16465-bare collection credential_access discovery rat stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral3 behavioral4