remcos | d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893

General

Target

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
Size

338KB
MD5

9535a9f92bef3cf0a30511bb162312c0
SHA1

a2e5316e0dd263e2494feb6fe0cc051fd42b1601
SHA256

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893
SHA512

0d2e3f575fc73f386f1f29a8505b2f696575f188d4b276712f01185bd31257763294734c6eb32313655b0a5449916ea5401ae9bbc6163effa082c6e72fe6a5ca
SSDEEP

6144:aBerKbGNtpIDKHI5misquu7o32mkdYukScl6h0z3mUy:7aGNYuo5miKus3VkbkSA+0z3mD

Score

10^/10

remcos remotehost collection discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

divdemoce.duckdns.org:35639

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
dtas.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-GZATCK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1396-157-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1396-160-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1156-158-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1156-169-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1156-171-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1396-157-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1156-158-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1396-160-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1532-162-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1532-167-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1156-169-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1156-171-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exed4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Loads dropped DLL 1 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

pid process

4340 d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

pid process

1844 d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

pid	process
1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exed4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

pid	process
4340	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exed4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

description	pid	process	target process
PID 4340 set thread context of 1844	4340	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 set thread context of 1156	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 set thread context of 1396	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 set thread context of 1532	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Drops file in Program Files directory 1 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Biskoppers.Una	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exed4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

pid	process
1156	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1156	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1532	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1532	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1156	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1156	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exed4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

pid	process
4340	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

description pid process

Token: SeDebugPrivilege 1532 d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

pid process

1844 d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

description	pid	process
Token: SeDebugPrivilege	1532	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

pid	process
1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exed4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

description	pid	process	target process
PID 4340 wrote to memory of 1844	4340	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 4340 wrote to memory of 1844	4340	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 4340 wrote to memory of 1844	4340	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 4340 wrote to memory of 1844	4340	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1156	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1156	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1156	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1396	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1396	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1396	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1532	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1532	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
PID 1844 wrote to memory of 1532	1844	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe	d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe

C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
"C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
"C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe /stext "C:\Users\Admin\AppData\Local\Temp\doxxqxmaqbkylbwzpqpuatybtfkvydd"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe /stext "C:\Users\Admin\AppData\Local\Temp\ojcpjpxtejccnhkdzacwdytscluwzouiuy"
3⤵
- Accesses Microsoft Outlook accounts
PID:1396

C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe
C:\Users\Admin\AppData\Local\Temp\d4d418356392f1b8c0027a5de549dc21660fb5a9d39862abd47fe02ae1b4a893.exe /stext "C:\Users\Admin\AppData\Local\Temp\qlhaji"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\doxxqxmaqbkylbwzpqpuatybtfkvydd
Filesize
4KB

MD5
7e7e8e77a909ae1ac11fb356c3430a5e

SHA1
ef6c5ac6efc7104809b00840dd24a8d74e706fd4

SHA256
d3e8da27af617990bdfcaef5c3617788a606ba5860967a679fa6d5279772a985

SHA512
fe6a8722197e4cd5f61ad7182c66f6cba60ada6ca482c12eefa184fb7cb509362142f1767cb89126bfa8caaa6ed087bfd0287aacbbb56dbaa9bc2245815b1bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6E8E.tmp\System.dll
Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\dtas.dat
Filesize
188B

MD5
2ef5b5ba49887e9943462482f3e342c8

SHA1
b44cc48b0feb20aa138499373476b1fd5e0c61bd

SHA256
fc3c503c0b7b81596948626d2f4303db2ebd590f5e23530c9274b494eeab1e03

SHA512
e87f5835d76213546e3a327a49e8b3af0643c4b194c0a70bd9bffd752f3ed49fb5c82865708f2246a3795a48a2e013d954c6fa841b8b143abf1d9b841f925929

Download Submit
memory/1156-171-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1156-169-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1156-149-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1156-153-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1156-158-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1396-160-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1396-150-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1396-154-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1396-157-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1532-162-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-159-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-155-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-167-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1844-178-0x0000000035200000-0x0000000035219000-memory.dmp

Filesize
100KB

Download
memory/1844-182-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-142-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-174-0x0000000035200000-0x0000000035219000-memory.dmp

Filesize
100KB

Download
memory/1844-177-0x0000000035200000-0x0000000035219000-memory.dmp

Filesize
100KB

Download
memory/1844-147-0x0000000001660000-0x00000000049BD000-memory.dmp

Filesize
51.4MB

Download
memory/1844-179-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-143-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-141-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-185-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-188-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-191-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-200-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1844-203-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads