remcos | 74b5890f41f51c96efa8cdeb693fd95ad15e5dc523e7d75e2e101d7cf8b0a36e | Triage

Sharing

General

Target

1739178544fddf70426d254d1190ae60a70360d66d18140b9726d9aa91d249134723844c49387.dat-decoded.exe
Size

482KB
Sample

250210-k6evrawlfl
MD5

c9640390f2987def34711b9c1f42f2fa
SHA1

bb8e1e1d5206e957747791670d980ea89d86bf12
SHA256

74b5890f41f51c96efa8cdeb693fd95ad15e5dc523e7d75e2e101d7cf8b0a36e
SHA512

50fbd697119a6c943e91f96698a158e27b454081d27145dec11f7a108ba4c37b2392276ccf29f4fb8acebd92a9abda1ef027d1fab0dfba39f41a2b3adf1cd01a
SSDEEP

12288:d13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQUS:3ak/mBXTV/R0nEF76gFZ7

Score

10^/10

remcos remotehost credential_access discovery spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

whatgodneedtogiveme.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-73NBJX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1739178544fddf70426d254d1190ae60a70360d66d18140b9726d9aa91d249134723844c49387.dat-decoded.exe
- Size
  
  482KB
- MD5
  
  c9640390f2987def34711b9c1f42f2fa
- SHA1
  
  bb8e1e1d5206e957747791670d980ea89d86bf12
- SHA256
  
  74b5890f41f51c96efa8cdeb693fd95ad15e5dc523e7d75e2e101d7cf8b0a36e
- SHA512
  
  50fbd697119a6c943e91f96698a158e27b454081d27145dec11f7a108ba4c37b2392276ccf29f4fb8acebd92a9abda1ef027d1fab0dfba39f41a2b3adf1cd01a
- SSDEEP
  
  12288:d13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQUS:3ak/mBXTV/R0nEF76gFZ7
Score

8^/10

credential_access discovery spyware stealer
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

Privilege Escalation

Defense Evasion

Modify Authentication Process

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Modify Authentication Process

Steal Web Session Cookie

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

remotehostremcos

behavioral1

credential_accessdiscoveryspywarestealer

behavioral2

credential_accessdiscoveryspywarestealer