General
-
Target
21012025_0918_20012025_completed payment Swift.zip
-
Size
498KB
-
Sample
250121-k9rzgswnby
-
MD5
dd6dbcce85bcf0fa1cb0551865be7a6b
-
SHA1
e7680679f36dae0c60579b6f03e941726017ea36
-
SHA256
8951d42cd54ee24819e35270f5106ce547cbd23ac8a97e43135be5c6f4da79e9
-
SHA512
91ad3e8bea4859e7a4da58c4b8929ac144927bd208a547b1422e65483bc151d9096c565d335841c2b494e149d2512b7f38571960709cf06f4a24d9bf643fe62b
-
SSDEEP
12288:Va7xuLiBuItRc5F0zmu2C2KtqtaQfkE7GwQD+:VaMLWuCcomu2C2xYQfziwQD+
Malware Config
Extracted
remcos
googlegroupaccount
213.152.187.241:12776
10.14.10.19:12776
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
googlegroupaccount.exe
-
copy_folder
googlegroupaccount
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6741XM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
completed payment Swift.exe
-
Size
618KB
-
MD5
9f596e0ef377a10ac315ea255dddd93a
-
SHA1
c01d886bf3ba5ada0b5685ce524061401e9c4bfe
-
SHA256
7ccf91b8dba6200f57181d52809c2edd10fe69a5334dfef8ee5426f882adfbe2
-
SHA512
1324ccbe878072d811e0ce7d344e4e8d0e5ffa27395ea2afb51e5eac99b45b723bd744a5217611da524e33281f0915ae468605db05040947e040708c81d117bb
-
SSDEEP
12288:h1zTwu+3/aEu57XO1KU7ZMveuWSA1YBcOxuuUHFFnsdFvMAqJ:0n3/aECOwKmvekyYBcOuPFFUFvMZJ
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1