remcos | 8864b508e11703efd0dfec01cf7e5b1f1f53bab99eb66ca8c4ee3884acb8f5a2 | Triage

Submit
Reports

Overview

overview

Static

static

1739390884...ed.exe

windows7-x64

9

1739390884...ed.exe

windows10-2004-x64

9

Sharing

General

Target

1739390884a09ef662fcaeeba78028fd001dbb899b934124679e76f638e210eb21257ab0bc915.dat-decoded.exe
Size

482KB
Sample

250212-ywl3zaxpdy
MD5

72351686e502b31b3649f3b0b8f84331
SHA1

50a3f1220ccd0b7cea5e3333c5aa59d4ecd7681f
SHA256

8864b508e11703efd0dfec01cf7e5b1f1f53bab99eb66ca8c4ee3884acb8f5a2
SHA512

e5268e9593fc84727749bab82380a2a9e845463bea1c577af9a688e067e8f4aba6fce4fb02c79229570c0bbb77e293e3682065436b97c327104d66888037ab3c
SSDEEP

12288:913ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQNS:Xak/mBXTV/R0nEF76gFZ2

Score

10^/10

remcos remotehost collection discovery spyware stealer

Static task

static1

remotehost remcos

2 signatures

Behavioral task

behavioral1

Sample

1739390884a09ef662fcaeeba78028fd001dbb899b934124679e76f638e210eb21257ab0bc915.dat-decoded.exe

Resource

win7-20250207-en

collection discovery spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

1739390884a09ef662fcaeeba78028fd001dbb899b934124679e76f638e210eb21257ab0bc915.dat-decoded.exe

Resource

win10v2004-20250207-en

collection discovery spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.243.136:6878

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-JARS2X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1739390884a09ef662fcaeeba78028fd001dbb899b934124679e76f638e210eb21257ab0bc915.dat-decoded.exe
- Size
  
  482KB
- MD5
  
  72351686e502b31b3649f3b0b8f84331
- SHA1
  
  50a3f1220ccd0b7cea5e3333c5aa59d4ecd7681f
- SHA256
  
  8864b508e11703efd0dfec01cf7e5b1f1f53bab99eb66ca8c4ee3884acb8f5a2
- SHA512
  
  e5268e9593fc84727749bab82380a2a9e845463bea1c577af9a688e067e8f4aba6fce4fb02c79229570c0bbb77e293e3682065436b97c327104d66888037ab3c
- SSDEEP
  
  12288:913ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQNS:Xak/mBXTV/R0nEF76gFZ2
Score

9^/10

collection discovery spyware stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Downloads MZ/PE file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

remotehostremcos

behavioral1

collectiondiscoveryspywarestealer

behavioral2

collectiondiscoveryspywarestealer

© 2018-2025

Terms | Privacy