Overview

overview

10

Static

static

1

FILE_02042025 (1).bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06042025_1754_03042025_CONFIDENTIAL FILE_03042025 (1).zip

  • Size

    556B

  • Sample

    250406-wg4ncsxmy2

  • MD5

    eb2a63aa3ea3e09ff221889fe31037ed

  • SHA1

    7093b9a5d9d2577209b856b528150d84974264dd

  • SHA256

    6aceb5678b7d70dd5ced972b8aacaacec401f165ae8b7333b48e358aabf10514

  • SHA512

    2f69eb1d4190593f4b3464e8115329f7ac779c9352ab3fa7b493bb01371cbaaecdd85946bf8b338dcabd419603aea4b640a9edfde289b996d3763d250ed73178

Score
10/10
remcoshostcollectioncredential_accessdiscoveryexecutionpersistenceratstealer

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

45.141.233.95:8801

leak-shop.cc:8109

minerasicvalue.com:7501
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    012025-0D721P

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      FILE_02042025 (1).bat

    • Size

      574B

    • MD5

      711bed0103f2668aa733a139fbb608f0

    • SHA1

      71e3a7df7486106b78cbc4f9331792426173f47f

    • SHA256

      381d189e3ab62d72bc33979be7d37dfb8435f69c455e598c4da8fef9f36e2418

    • SHA512

      2a4f4cb7738282b630974d7904a907109287c8f27d439114cd46a1d87e588f80e3aed2eb80b517605ee1d522d63a510b76a6f379542c9fafdc8cf061700662bc

    Score
    10/10
    remcoshostcollectioncredential_accessdiscoveryexecutionpersistenceratstealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.