remcos | 72a61910d0ce3c1796c072b1b7a14574918d3b1e5d5b23727ca8d55473ac3d57 | Triage

Submit
Reports

Overview

overview

Static

static

3

0738981879...dd.exe

windows7-x64

0738981879...dd.exe

windows10-2004-x64

Sharing

General

Target

50cf2b84679ea401530b7e30d16f166b.bin
Size

16KB
Sample

240630-chn5hssbqh
MD5

d6c9791d41b247051b5315513bd1f784
SHA1

e459dbaa31f45d1915e1767616f544cae346678a
SHA256

72a61910d0ce3c1796c072b1b7a14574918d3b1e5d5b23727ca8d55473ac3d57
SHA512

1bf65e7b97b091d877ef777054c8d87ab4addfe8fdce2f57f7e0f93780da62f7b429cd386bc50178f8c55f4ca5ebdd69e16bdec0279f26c2070140f2e9058115
SSDEEP

192:bjB+wz1BfO6+br0HYWNYs4C2hzPY2SW8mVYl/I86wgMzVgidTp01d3IfTe3j+ZtQ:B3xBG9i1rqzgSap6gvFpmGfTeSW0i

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

Resource

win7-20240611-en

remcos remotehost collection persistence rat spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

Resource

win10v2004-20240508-en

remcos remotehost collection persistence rat spyware stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.173.62.181:17120

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-F9ZGZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
- Size
  
  95KB
- MD5
  
  50cf2b84679ea401530b7e30d16f166b
- SHA1
  
  1720348ae4b55ce19a252e2161c6eb0684ebea10
- SHA256
  
  0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd
- SHA512
  
  273a2fe9402a237314dce9937a1ec0c36cdcef8a0e2820dcaf40382061fa7fc85ef9df7bfba0b237b40eb10d4ecc236eb650f528400860dd309666c1a1d519b1
- SSDEEP
  
  1536:mOhzJDZr9BzDNATEk9UbTV0+gRLVNI6e:lhzbrjDNATEkebh0BRk6e
Score

10^/10

remcos remotehost collection persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostcollectionpersistenceratspywarestealer

behavioral2

remcosremotehostcollectionpersistenceratspywarestealer

© 2018-2024

Terms | Privacy