remcos | ca241f16b1ac84b101cdfcd8aa9afea521636dba24a5ffe08316c5da4bd68390

General

Target

INQUIRY DATA SPECIFICATION.exe
Size

971KB
MD5

b7e69d837badce7f4a8f515b9956131c
SHA1

a203884c92670928ed80e0bdf4c08fcc1f93b1e5
SHA256

ca241f16b1ac84b101cdfcd8aa9afea521636dba24a5ffe08316c5da4bd68390
SHA512

3f39ed762233a7825daa0edb861a1cdd801069c9d396f1898b45d150262c78f56a6f2ce9aace03020c8815e9e7294ff415613e50280923a7f37c3a476afa014b
SSDEEP

24576:aSgh/PM1kv/TQFR0TjqM4V4Kv1zPDhm4VnkC:a1h/01ks/Ojq/lz78499

Score

10^/10

remcos auto collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

AUTO

C2

valvesco.duckdns.org:5050

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-V9LLZT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2092-148-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4888-150-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4888-151-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2092-148-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/740-149-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4888-150-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4888-151-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

INQUIRY DATA SPECIFICATION.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	INQUIRY DATA SPECIFICATION.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

INQUIRY DATA SPECIFICATION.exeINQUIRY DATA SPECIFICATION.exe

description	pid	process	target process
PID 428 set thread context of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 set thread context of 4888	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 set thread context of 2092	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 set thread context of 740	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

INQUIRY DATA SPECIFICATION.exeINQUIRY DATA SPECIFICATION.exe

pid	process
4888	INQUIRY DATA SPECIFICATION.exe
4888	INQUIRY DATA SPECIFICATION.exe
740	INQUIRY DATA SPECIFICATION.exe
740	INQUIRY DATA SPECIFICATION.exe
4888	INQUIRY DATA SPECIFICATION.exe
4888	INQUIRY DATA SPECIFICATION.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

INQUIRY DATA SPECIFICATION.exe

pid	process
4936	INQUIRY DATA SPECIFICATION.exe
4936	INQUIRY DATA SPECIFICATION.exe
4936	INQUIRY DATA SPECIFICATION.exe
4936	INQUIRY DATA SPECIFICATION.exe
4936	INQUIRY DATA SPECIFICATION.exe
4936	INQUIRY DATA SPECIFICATION.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INQUIRY DATA SPECIFICATION.exe

description pid process

Token: SeDebugPrivilege 740 INQUIRY DATA SPECIFICATION.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

INQUIRY DATA SPECIFICATION.exe

pid process

4936 INQUIRY DATA SPECIFICATION.exe

description	pid	process
Token: SeDebugPrivilege	740	INQUIRY DATA SPECIFICATION.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

INQUIRY DATA SPECIFICATION.exeINQUIRY DATA SPECIFICATION.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xkqrypctpvzjmkmhdszoekv"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aedkzimuddrowqitudlpppqlyn"
3⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kyjdzaforljbzewxdogjscccztgdr"
3⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aedkzimuddrowqitudlpppqlyn"
3⤵
- Accesses Microsoft Outlook accounts
PID:2092

C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kyjdzaforljbzewxdogjscccztgdr"
3⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DATA SPECIFICATION.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kyjdzaforljbzewxdogjscccztgdr"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xkqrypctpvzjmkmhdszoekv
Filesize
4KB

MD5
952a930b9fe70f809a67cb4e765c9448

SHA1
7e6c235246cc1be14d8a01ee7688a2a2471d44c9

SHA256
bd8156713974af3003c418302d3647fa84f62836fe83613c05e8bc40cb06a867

SHA512
10d12f2412fd2cb9ecf47cccd0261b17d9a3323957602c06795c4b2244306837d0a979ec6e552dc023ee81719ebcb9455bdb6f9d44f07788664994d1498452fb

Download Submit
memory/428-132-0x0000000000AF0000-0x0000000000BEA000-memory.dmp

Filesize
1000KB

Download
memory/428-133-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/428-134-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/428-135-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/428-136-0x0000000008040000-0x00000000080DC000-memory.dmp

Filesize
624KB

Download
memory/740-149-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/740-147-0x0000000000000000-mapping.dmp

Download
memory/2092-148-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2092-144-0x0000000000000000-mapping.dmp

Download
memory/3724-145-0x0000000000000000-mapping.dmp

Download
memory/3772-146-0x0000000000000000-mapping.dmp

Download
memory/4316-143-0x0000000000000000-mapping.dmp

Download
memory/4888-142-0x0000000000000000-mapping.dmp

Download
memory/4888-150-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4888-151-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4936-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4936-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4936-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4936-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4936-137-0x0000000000000000-mapping.dmp

Download
memory/4936-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

description	pid	process	target process
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 428 wrote to memory of 4936	428	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 4888	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 4888	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 4888	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 4888	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 4316	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 4316	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 4316	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 2092	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 2092	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 2092	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 2092	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 3724	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 3724	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 3724	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 3772	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 3772	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 3772	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 740	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 740	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 740	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe
PID 4936 wrote to memory of 740	4936	INQUIRY DATA SPECIFICATION.exe	INQUIRY DATA SPECIFICATION.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads