remcos | e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76

Analysis

max time kernel
154s
max time network
150s
platform
windows7_x64
resource
win7-en-20211208
submitted
30-01-2022 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe
Size

1023KB
MD5

d748b7636247f497fa69a9b3dac8a1c6
SHA1

d1e73e0fd37aa7494b4b7ce9d5627666994eb3f1
SHA256

e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76
SHA512

5384be1c8ea45763c42b43bd46b0a9a48cd22b6f17c8cd111aa69093dc31e69c52e3c30bc810e8d118a52c88fe5daa5998b5fe834f6b7d05f808c5959c230e3b

Score

10^/10

remcos remotehost persistence rat upx

Malware Config

Extracted

Family

remcos

Version

3.3.2 Light

Botnet

RemoteHost

91.243.44.75:1703

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-W5VMG1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

Nostra.exe.comNostra.exe.comNostra.exe.com

pid process

568 Nostra.exe.com
1632 Nostra.exe.com
1644 Nostra.exe.com

pid	process
568	Nostra.exe.com
1632	Nostra.exe.com
1644	Nostra.exe.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1644-69-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/1644-73-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/1644-74-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

cmd.exeNostra.exe.comNostra.exe.com

pid process

616 cmd.exe
568 Nostra.exe.com
1632 Nostra.exe.com

pid	process
616	cmd.exe
568	Nostra.exe.com
1632	Nostra.exe.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Nostra.exe.com

description pid process target process

PID 1632 set thread context of 1644 1632 Nostra.exe.com Nostra.exe.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1492 PING.EXE
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Nostra.exe.comNostra.exe.com

pid process

568 Nostra.exe.com
568 Nostra.exe.com
568 Nostra.exe.com
1632 Nostra.exe.com
1632 Nostra.exe.com
1632 Nostra.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Nostra.exe.comNostra.exe.com

pid process

568 Nostra.exe.com
568 Nostra.exe.com
568 Nostra.exe.com
1632 Nostra.exe.com
1632 Nostra.exe.com
1632 Nostra.exe.com

description	pid	process	target process
PID 1632 set thread context of 1644	1632	Nostra.exe.com	Nostra.exe.com

pid	process
1492	PING.EXE

pid	process
568	Nostra.exe.com
568	Nostra.exe.com
568	Nostra.exe.com
1632	Nostra.exe.com
1632	Nostra.exe.com
1632	Nostra.exe.com

pid	process
568	Nostra.exe.com
568	Nostra.exe.com
568	Nostra.exe.com
1632	Nostra.exe.com
1632	Nostra.exe.com
1632	Nostra.exe.com

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.execmd.execmd.exeNostra.exe.comNostra.exe.com

description	pid	process	target process
PID 740 wrote to memory of 1668	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	rundll32.exe
PID 740 wrote to memory of 1668	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	rundll32.exe
PID 740 wrote to memory of 1668	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	rundll32.exe
PID 740 wrote to memory of 1668	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	rundll32.exe
PID 740 wrote to memory of 1668	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	rundll32.exe
PID 740 wrote to memory of 1668	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	rundll32.exe
PID 740 wrote to memory of 1668	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	rundll32.exe
PID 740 wrote to memory of 516	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	cmd.exe
PID 740 wrote to memory of 516	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	cmd.exe
PID 740 wrote to memory of 516	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	cmd.exe
PID 740 wrote to memory of 516	740	e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe	cmd.exe
PID 516 wrote to memory of 616	516	cmd.exe	cmd.exe
PID 516 wrote to memory of 616	516	cmd.exe	cmd.exe
PID 516 wrote to memory of 616	516	cmd.exe	cmd.exe
PID 516 wrote to memory of 616	516	cmd.exe	cmd.exe
PID 616 wrote to memory of 828	616	cmd.exe	findstr.exe
PID 616 wrote to memory of 828	616	cmd.exe	findstr.exe
PID 616 wrote to memory of 828	616	cmd.exe	findstr.exe
PID 616 wrote to memory of 828	616	cmd.exe	findstr.exe
PID 616 wrote to memory of 568	616	cmd.exe	Nostra.exe.com
PID 616 wrote to memory of 568	616	cmd.exe	Nostra.exe.com
PID 616 wrote to memory of 568	616	cmd.exe	Nostra.exe.com
PID 616 wrote to memory of 568	616	cmd.exe	Nostra.exe.com
PID 616 wrote to memory of 1492	616	cmd.exe	PING.EXE
PID 616 wrote to memory of 1492	616	cmd.exe	PING.EXE
PID 616 wrote to memory of 1492	616	cmd.exe	PING.EXE
PID 616 wrote to memory of 1492	616	cmd.exe	PING.EXE
PID 568 wrote to memory of 1632	568	Nostra.exe.com	Nostra.exe.com
PID 568 wrote to memory of 1632	568	Nostra.exe.com	Nostra.exe.com
PID 568 wrote to memory of 1632	568	Nostra.exe.com	Nostra.exe.com
PID 568 wrote to memory of 1632	568	Nostra.exe.com	Nostra.exe.com
PID 1632 wrote to memory of 1644	1632	Nostra.exe.com	Nostra.exe.com
PID 1632 wrote to memory of 1644	1632	Nostra.exe.com	Nostra.exe.com
PID 1632 wrote to memory of 1644	1632	Nostra.exe.com	Nostra.exe.com
PID 1632 wrote to memory of 1644	1632	Nostra.exe.com	Nostra.exe.com
PID 1632 wrote to memory of 1644	1632	Nostra.exe.com	Nostra.exe.com
PID 1632 wrote to memory of 1644	1632	Nostra.exe.com	Nostra.exe.com

C:\Users\Admin\AppData\Local\Temp\e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe
"C:\Users\Admin\AppData\Local\Temp\e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\rundll32.exe
rundll32
2⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Visibile.xlm
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^gEutgGXWMnXZJmmknvCvUSNFjCbgglMYEvVtVrlOMLVHLAYDxdFoQxivQARLpIICMZcjEcfckNJpWuULDT$" Sei.xlm
4⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
Nostra.exe.com F
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com F
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
6⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F
MD5
48ea83a3699cebd2dc04d4d76745507d

SHA1
fb190b131db81e744afee10e0b30147687cea9be

SHA256
dd2f7076c643461467eb387f12d021af01f6cf8ab21aa6baad38bc3082eaab3e

SHA512
6d7f6631d178b52aa24dd945fac711bd88aa42c626f049673914bd4939c1a2dbefb7fdb3888b269bd370b620952b2acda7e686fbf6be224eebd74bd6f77ec382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimanete.xlm
MD5
48ea83a3699cebd2dc04d4d76745507d

SHA1
fb190b131db81e744afee10e0b30147687cea9be

SHA256
dd2f7076c643461467eb387f12d021af01f6cf8ab21aa6baad38bc3082eaab3e

SHA512
6d7f6631d178b52aa24dd945fac711bd88aa42c626f049673914bd4939c1a2dbefb7fdb3888b269bd370b620952b2acda7e686fbf6be224eebd74bd6f77ec382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sei.xlm
MD5
20317feaeccf25a1c7e3574e1cf21c54

SHA1
96bd936939e9d8562332e9ebe94fe508dfa6a32f

SHA256
7a9ee9b92ac033f0df8ccd9bbbf762c79951067b969b179b63272760b974ab0c

SHA512
9806ddea506b95d7c5b63237442676bed85b7c3903fd5609417dadfb7b0fc86a659f6b7f520131c45c3a83f48c4adc94f45d35c4767e61708bf88cd173ce1ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Visibile.xlm
MD5
984186f0c69ca0c120c6e694cbf2f242

SHA1
b9da4266b777aed105a55337c6c7158163f16214

SHA256
8e84d96f11c7a6eb263678ca6ffa18cd0531c4955504391782e2e228aea10bae

SHA512
f8eeb4bd83cbb928216596a9847b8cfa06135df60d333e265301f30bbc3b74d49f8e58bd37e68bdf2ec797dadc88da562be5cd932a48c3c19d3eefb3f8948d97

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com
MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
memory/1644-68-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1644-69-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1644-73-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1644-74-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1668-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download