remcos

General

Target

Document53374pdf.exe
Size

916KB
Sample

250131-vmka8stmhq
MD5

9086c60c9ad908adaf0656122f0670fe
SHA1

b21a437c8319d751df3d62302c5182162f1999d1
SHA256

c2a0d55f2c24ea39b05e847cd7e0c1a08289af1d24545e689bd88add8a26b599
SHA512

f4144165f652508a6730fc52a9b7fe71158a57c76b92b9d25dbf2d7998f68dda33b6200c637ac018e8ceacd22a25729053a4ea73e030b7ebc1ce56d709956af2
SSDEEP

24576:oe56hiS2BhRz6eKlZjZZz7AZ0Ig/X96PIwHHXgrFJcgps:Z6sSG7KjZ9AZ0rUP1H32FJ7s

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

TRYTHIS

C2

trfsgysu28opask01.duckdns.org:9702

trfsgysu28opask01.duckdns.org:35889

trfsgysu28opask02.duckdns.org:9702

detuthi.duckdns.org:9702

detuthi.duckdns.org:35889

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
mziseotosg.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
mbvieortc-QTTQ37
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Document53374pdf.exe
- Size
  
  916KB
- MD5
  
  9086c60c9ad908adaf0656122f0670fe
- SHA1
  
  b21a437c8319d751df3d62302c5182162f1999d1
- SHA256
  
  c2a0d55f2c24ea39b05e847cd7e0c1a08289af1d24545e689bd88add8a26b599
- SHA512
  
  f4144165f652508a6730fc52a9b7fe71158a57c76b92b9d25dbf2d7998f68dda33b6200c637ac018e8ceacd22a25729053a4ea73e030b7ebc1ce56d709956af2
- SSDEEP
  
  24576:oe56hiS2BhRz6eKlZjZZz7AZ0Ig/X96PIwHHXgrFJcgps:Z6sSG7KjZ9AZ0rUP1H32FJ7s
Score

10^/10

discovery execution remcos trythis collection credential_access persistence rat stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Bestikkelsesanklager.Qui
- Size
  
  51KB
- MD5
  
  59b0b98cd78cde9e66a8e1195fa35be3
- SHA1
  
  d9a9813e0983f69b6c11fbb7c5b2c28df207fd13
- SHA256
  
  7ecd47a0c1aaf0942e55d6be3e11cf4a7e8485084de7f88d38722758fd3c7411
- SHA512
  
  4478091235e926276545239847d6eab2eccc8755b05c4794eb6ba19c3afb4521cdd53dc935f9731b37d7ee3c0667b9fb997a3377f23203b40cb002392aed1e8a
- SSDEEP
  
  768:qq7eNLn1vlqkLYurDEflvt2sS0+a8fiZ7ZbjBenEnTz0HyZumtsuY71jsf+FLDmu:kNme/AX2p0ftZ7FGZHyZffyy7oKDm7
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4