remcos

General

Target

747031500_D747031500_A.js
Size

1003KB
Sample

250214-klgtlszkgz
MD5

e3765da77fefd90e2a7e1fe50029a1d8
SHA1

b0aec621810789c80ddeb96d746cc88ee6b0db50
SHA256

8a95a509c657f55f3037336ba69c03f687b6818fdff078aaaba41ee359154eac
SHA512

47c7a5f988e5051aca274b2dfa585348f814fd4105d93b6b6e81dc54044eaab767319ca0e1f62cf160aa1571850e089cb90c94120889cda2b3d47cf7c7d7ef0a
SSDEEP

24576:kYnZJg8/S5NnzlKWrhjxQfB/nQ0xc/qqXsE8zl:dg8/S5NnzlKWrhjxQfB/nQ0xc/PO

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Host 2025

C2

favor-grace-fax.home-webserver.de:5930

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
iuioh.dat
keylog_flag
false
keylog_folder
iuyt6yu
mouse_option
false
mutex
iuytroiuy77im-KQ32FT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  747031500_D747031500_A.js
- Size
  
  1003KB
- MD5
  
  e3765da77fefd90e2a7e1fe50029a1d8
- SHA1
  
  b0aec621810789c80ddeb96d746cc88ee6b0db50
- SHA256
  
  8a95a509c657f55f3037336ba69c03f687b6818fdff078aaaba41ee359154eac
- SHA512
  
  47c7a5f988e5051aca274b2dfa585348f814fd4105d93b6b6e81dc54044eaab767319ca0e1f62cf160aa1571850e089cb90c94120889cda2b3d47cf7c7d7ef0a
- SSDEEP
  
  24576:kYnZJg8/S5NnzlKWrhjxQfB/nQ0xc/qqXsE8zl:dg8/S5NnzlKWrhjxQfB/nQ0xc/PO
Score

10^/10

remcos host 2025 collection credential_access discovery execution persistence rat stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2