remcos | c362c9041673c2475a3aecfa463941fde1935d452a5489a6f2a6a997053c92cf | Triage

Submit
Reports

Overview

overview

Static

static

3

JY-PCB-240109A-3.exe

windows7-x64

JY-PCB-240109A-3.exe

windows10-2004-x64

Sharing

General

Target

27062024_1711_27062024_JY-PCB-240109A-3.7z
Size

6KB
Sample

240627-vqp1ws1eje
MD5

7da235e1de9607c834e07f22fed9ef64
SHA1

21dedcfc2defc51b20f9d92c6d40a68fc827684c
SHA256

c362c9041673c2475a3aecfa463941fde1935d452a5489a6f2a6a997053c92cf
SHA512

8c8733bae07831fedee2ed75dd0337a8ce2c17a2a9fbbbebe376a3fed9d2ce7b3be80b1cd684839cb09cdce56f17b4d35c58f8ad0f45436a8dcef0d491f137f6
SSDEEP

192:PmxHOKqIdcHSG3q5kRT8x6LmvTeYQLHyz/wa5X:CuK7MSG0M9CvTe9LSbvX

Score

10^/10

remcos remotehost agilenet collection persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JY-PCB-240109A-3.exe

Resource

win7-20240611-en

remcos remotehost agilenet collection persistence rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

JY-PCB-240109A-3.exe

Resource

win10v2004-20240611-en

remcos remotehost agilenet collection persistence rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.133.116.123:63650

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3BFGTU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  JY-PCB-240109A-3.exe
- Size
  
  21KB
- MD5
  
  e05b80c579472d630f481820526c75f5
- SHA1
  
  7dca7c4bda5302e67ec87073b040ede2be781a6a
- SHA256
  
  2e410769ac9f0e71df08fda7115ccc473815a0f200a19059972d2c7b6190af4f
- SHA512
  
  c2b2e567713e3c712a6611a1255270e6695b26e136c80428860fe86a46e9eab5e589085c7bcc5213e0218a67e99949efaf5109fed2975668e8ecf87d11612feb
- SSDEEP
  
  384:ilFLVGZkhqIg8hR2GZsHEuymVr3JmJZzyF/O7v6qEfTivVqsSqncKxXFY:iTiYxBu93JmvyqEfuNqUcKxXFY
Score

10^/10

remcos remotehost agilenet collection persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostagilenetcollectionpersistenceratspywarestealer

behavioral2

remcosremotehostagilenetcollectionpersistenceratspywarestealer

© 2018-2024

Terms | Privacy