remcos

General

Target

2025-04-23_c88f7d6f431b220c8ccfc3d67aa78780_akira_black-basta_coinminer_hijackloader
Size

16.0MB
Sample

250423-nakynswtfs
MD5

c88f7d6f431b220c8ccfc3d67aa78780
SHA1

ebad358687be90cbf17857e9d9f010ca2eef5dbf
SHA256

f74e2e5f72d752f7d3803fb26ed57c583007aa6eb55a603c8ab647d0f15b1f55
SHA512

0f7baa118443aeac320b48df35525677e039e52dc64a5dee7cf9f6f833e0240ff62c0604eda2c9f9c222b79c55b8b68d80e5bd6a1f98b652066c803f22a8b0ea
SSDEEP

393216:kfpMGalEprdC2ho79h0ZVTNL8Mpb8wreosW56GzSu+:GMMpb8w6iAGz6

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

GlobalThird

C2

62.60.226.20

Attributes

url_path
/3fdfaab96bf0423c.php

rc4.plain

Extracted

Family

remcos

Version

6.1.1 Light

Botnet

LightAutov3

C2

62.60.226.21:40106

62.60.226.101:40106

62.60.226.21:40105

62.60.226.101:40105

62.60.226.101:40104

62.60.226.21:40104

62.60.226.21:40103

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
1
connect_interval
1
copy_file
ZoomUpdateApi.exe
copy_folder
ZoomUpdate
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
errors.dat
keylog_flag
false
keylog_folder
ZoomUpdateReport
mouse_option
false
mutex
ZoomUpdateService-8DUEEB
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
ZoomApiRec
screenshot_path
%Temp%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  2025-04-23_c88f7d6f431b220c8ccfc3d67aa78780_akira_black-basta_coinminer_hijackloader
- Size
  
  16.0MB
- MD5
  
  c88f7d6f431b220c8ccfc3d67aa78780
- SHA1
  
  ebad358687be90cbf17857e9d9f010ca2eef5dbf
- SHA256
  
  f74e2e5f72d752f7d3803fb26ed57c583007aa6eb55a603c8ab647d0f15b1f55
- SHA512
  
  0f7baa118443aeac320b48df35525677e039e52dc64a5dee7cf9f6f833e0240ff62c0604eda2c9f9c222b79c55b8b68d80e5bd6a1f98b652066c803f22a8b0ea
- SSDEEP
  
  393216:kfpMGalEprdC2ho79h0ZVTNL8Mpb8wreosW56GzSu+:GMMpb8w6iAGz6
Score

10^/10

remcos rhadamanthys stealc globalthird lightautov3 credential_access discovery execution rat spyware stealer
- Detects Rhadamanthys payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2