remcos

General

Target

50dc80f4ab02549b730dc49de7d38924e3d063a9488d0414872a83406719f566
Size

918KB
Sample

240701-1hykysvfpn
MD5

6322fbbf0d41682d0b0660b8ce0979a1
SHA1

70447ab58b0903fdb0a7dc7dbbdff2d4ea16f3a1
SHA256

50dc80f4ab02549b730dc49de7d38924e3d063a9488d0414872a83406719f566
SHA512

2c069fd389ea134078f90bca9537c62a751869bd35d27921c956a4557007a50422c92df91081dfb294bff2dab2c3fa881ade4f3d9ac2f0b44aec7f98ebdf66bf
SSDEEP

24576:aIw3ZQRZUWonR/qE6ufiV//fqatr1BingtJoI+4ud:aIw3GQ7nR/qE67zBtup

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.243.155:7643

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KXS0YK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  50dc80f4ab02549b730dc49de7d38924e3d063a9488d0414872a83406719f566
- Size
  
  918KB
- MD5
  
  6322fbbf0d41682d0b0660b8ce0979a1
- SHA1
  
  70447ab58b0903fdb0a7dc7dbbdff2d4ea16f3a1
- SHA256
  
  50dc80f4ab02549b730dc49de7d38924e3d063a9488d0414872a83406719f566
- SHA512
  
  2c069fd389ea134078f90bca9537c62a751869bd35d27921c956a4557007a50422c92df91081dfb294bff2dab2c3fa881ade4f3d9ac2f0b44aec7f98ebdf66bf
- SSDEEP
  
  24576:aIw3ZQRZUWonR/qE6ufiV//fqatr1BingtJoI+4ud:aIw3GQ7nR/qE67zBtup
Score

10^/10

remcos remotehost collection execution rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables packed with SmartAssembly
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables built or packed with MPress PE compressor

Detects executables packed with SmartAssembly

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2