remcos | 7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5

General

Target

ORDER ENQUIRY 22.11.21.exe
Size

965KB
MD5

0f30923fef1943c6444512e4da3987d4
SHA1

b1cfa49c4ac292f26cd04c1442eb2d7bcffc3e0a
SHA256

7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5
SHA512

ced07b8a11bdc5ebbe1396262efc937946f150c9cbfa2e5d812012cdc9e974f501a70b687f4b0debef0ca9da00d72748f217693cf02da0c4c7ab4518f584407e
SSDEEP

24576:0pn3wdfEYxdAXYVWYc0Lsz33ygpjbh4+L74mBfNUstzo:yn2fbdAXY8Y9L43yg

Score

10^/10

remcos warzonerat new rem stub collection infostealer rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

NEW REM STUB

C2

valvesco.duckdns.org:5050

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-48V73L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

warzonerat

C2

valvesco.duckdns.org:5353

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4688-147-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/4688-150-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1924-148-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1924-155-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4900-146-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4688-147-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/1924-148-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4688-150-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/4900-149-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1924-155-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2152-159-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2152-162-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2152-163-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2152-167-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

dwn.exedwn.exe

pid process

3740 dwn.exe
2152 dwn.exe

pid	process
3740	dwn.exe
2152	dwn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ORDER ENQUIRY 22.11.21.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ORDER ENQUIRY 22.11.21.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ORDER ENQUIRY 22.11.21.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ORDER ENQUIRY 22.11.21.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

ORDER ENQUIRY 22.11.21.exeORDER ENQUIRY 22.11.21.exedwn.exe

description	pid	process	target process
PID 4216 set thread context of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 set thread context of 1924	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 set thread context of 4688	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 set thread context of 4900	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3740 set thread context of 2152	3740	dwn.exe	dwn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ORDER ENQUIRY 22.11.21.exeORDER ENQUIRY 22.11.21.exe

pid	process
4900	ORDER ENQUIRY 22.11.21.exe
4900	ORDER ENQUIRY 22.11.21.exe
1924	ORDER ENQUIRY 22.11.21.exe
1924	ORDER ENQUIRY 22.11.21.exe
1924	ORDER ENQUIRY 22.11.21.exe
1924	ORDER ENQUIRY 22.11.21.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

ORDER ENQUIRY 22.11.21.exe

pid process

3584 ORDER ENQUIRY 22.11.21.exe
3584 ORDER ENQUIRY 22.11.21.exe
3584 ORDER ENQUIRY 22.11.21.exe
3584 ORDER ENQUIRY 22.11.21.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ORDER ENQUIRY 22.11.21.exe

description pid process

Token: SeDebugPrivilege 4900 ORDER ENQUIRY 22.11.21.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ORDER ENQUIRY 22.11.21.exedwn.exe

pid process

3584 ORDER ENQUIRY 22.11.21.exe
2152 dwn.exe

pid	process
3584	ORDER ENQUIRY 22.11.21.exe
3584	ORDER ENQUIRY 22.11.21.exe
3584	ORDER ENQUIRY 22.11.21.exe
3584	ORDER ENQUIRY 22.11.21.exe

description	pid	process
Token: SeDebugPrivilege	4900	ORDER ENQUIRY 22.11.21.exe

pid	process
3584	ORDER ENQUIRY 22.11.21.exe
2152	dwn.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

ORDER ENQUIRY 22.11.21.exeORDER ENQUIRY 22.11.21.exedwn.exedwn.exe

description	pid	process	target process
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 4216 wrote to memory of 3584	4216	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 1924	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 1924	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 1924	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 1924	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 968	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 968	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 968	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 4688	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 4688	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 4688	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 4688	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 4900	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 4900	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 4900	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 4900	3584	ORDER ENQUIRY 22.11.21.exe	ORDER ENQUIRY 22.11.21.exe
PID 3584 wrote to memory of 3740	3584	ORDER ENQUIRY 22.11.21.exe	dwn.exe
PID 3584 wrote to memory of 3740	3584	ORDER ENQUIRY 22.11.21.exe	dwn.exe
PID 3584 wrote to memory of 3740	3584	ORDER ENQUIRY 22.11.21.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 3740 wrote to memory of 2152	3740	dwn.exe	dwn.exe
PID 2152 wrote to memory of 4260	2152	dwn.exe	cmd.exe
PID 2152 wrote to memory of 4260	2152	dwn.exe	cmd.exe
PID 2152 wrote to memory of 4260	2152	dwn.exe	cmd.exe
PID 2152 wrote to memory of 4260	2152	dwn.exe	cmd.exe
PID 2152 wrote to memory of 4260	2152	dwn.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rjcglfnxcjm"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe" /stext "C:\Users\Admin\AppData\Local\Temp\blqylyxyqrebea"
    3⤵
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe" /stext "C:\Users\Admin\AppData\Local\Temp\blqylyxyqrebea"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:4688
- - C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER ENQUIRY 22.11.21.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mfvjmqisezwgphqct"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\dwn.exe
    "C:\Users\Admin\AppData\Local\Temp\dwn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\dwn.exe
      "C:\Users\Admin\AppData\Local\Temp\dwn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
613KB

MD5
eff616818b69ebbbf35c3147f6728920

SHA1
de38e874fbdcdd0146e95acff653d553a4221a0f

SHA256
be6cf44f8757472e0cd404392086f7f94352fa22e512d66b8420c51ab4a6b566

SHA512
056f246a8dc68fcb25bb8cd65e09bad69449dd826395d069f93b081462c86e4980674414dcc6467e4dce4db7e2a73a793101e9320ff6df1db24ab297a00650f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
613KB

MD5
eff616818b69ebbbf35c3147f6728920

SHA1
de38e874fbdcdd0146e95acff653d553a4221a0f

SHA256
be6cf44f8757472e0cd404392086f7f94352fa22e512d66b8420c51ab4a6b566

SHA512
056f246a8dc68fcb25bb8cd65e09bad69449dd826395d069f93b081462c86e4980674414dcc6467e4dce4db7e2a73a793101e9320ff6df1db24ab297a00650f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
613KB

MD5
eff616818b69ebbbf35c3147f6728920

SHA1
de38e874fbdcdd0146e95acff653d553a4221a0f

SHA256
be6cf44f8757472e0cd404392086f7f94352fa22e512d66b8420c51ab4a6b566

SHA512
056f246a8dc68fcb25bb8cd65e09bad69449dd826395d069f93b081462c86e4980674414dcc6467e4dce4db7e2a73a793101e9320ff6df1db24ab297a00650f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjcglfnxcjm

Filesize
4KB

MD5
d06ebab8b0513f602e535079a9ebbeea

SHA1
d29472e6eb5a72f0353d70b97a33337b255b487e

SHA256
0c9e16830ccc6495def187adde2137ac07a566e1534e5714f626dcd68d28094c

SHA512
002df6f401950fd24d5976a47c58e9e2c58cef7d4fdec69f815fb6a00fb1e1a8963a4a7bf52056e61d6f6875edec393c466742c3031dd5f88802b45ddadca209

Download Submit
memory/968-143-0x0000000000000000-mapping.dmp

Download
memory/1924-148-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1924-142-0x0000000000000000-mapping.dmp

Download
memory/1924-155-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2152-163-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2152-162-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2152-158-0x0000000000000000-mapping.dmp

Download
memory/2152-159-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2152-167-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2152-166-0x0000000004360000-0x0000000004500000-memory.dmp

Filesize
1.6MB

Download
memory/3584-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3584-137-0x0000000000000000-mapping.dmp

Download
memory/3584-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3584-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3584-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3584-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3740-154-0x0000000000010000-0x00000000000B0000-memory.dmp

Filesize
640KB

Download
memory/3740-151-0x0000000000000000-mapping.dmp

Download
memory/4216-136-0x0000000008F00000-0x0000000008F9C000-memory.dmp

Filesize
624KB

Download
memory/4216-135-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/4216-134-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/4216-132-0x0000000000730000-0x0000000000828000-memory.dmp

Filesize
992KB

Download
memory/4216-133-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/4260-164-0x0000000000000000-mapping.dmp

Download
memory/4260-165-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/4688-150-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4688-147-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4688-144-0x0000000000000000-mapping.dmp

Download
memory/4900-149-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4900-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4900-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads