Overview

overview

10

Static

static

3

33108fe9d2...f7.exe

windows7-x64

10

33108fe9d2...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2023 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33108fe9d2b46a295190763ebb4083f7.exe

  • Size

    898KB

  • MD5

    33108fe9d2b46a295190763ebb4083f7

  • SHA1

    28926c7fd4b1271230a0cfcf2d193ef7cd08e17d

  • SHA256

    99e559cde8a3871a1c1d045ff0f141d01aeff386c2798c127fdacdff6b193f17

  • SHA512

    005060e50f1ddc3d721981fe433bd1a6ab9c4b57b965aa83aeab590220bd2a06aa93df25a59d5ed31e3947d85903c4910092632d27e79ad489d9af36d073458f

  • SSDEEP

    12288:1epHyX2+Q6gmk12kka/ZzT9+CnHYNTQErfawt5IPzKi0:1epJHDskkKpT9hGZrfHtUzK

Score
10/10
remcosremotehostcollectionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

divdemoce.duckdns.org:35639

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    dtas.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-GZATCK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33108fe9d2b46a295190763ebb4083f7.exe
    "C:\Users\Admin\AppData\Local\Temp\33108fe9d2b46a295190763ebb4083f7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ibwqltaelfmfylumav"
        3⤵
          PID:1140
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ibwqltaelfmfylumav"
          3⤵
            PID:2196
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ibwqltaelfmfylumav"
            3⤵
              PID:4296
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ibwqltaelfmfylumav"
              3⤵
                PID:1556
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\svkjmllxznekjrqqjfoql"
                3⤵
                • Accesses Microsoft Outlook accounts
                PID:5092
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dxptmevznvwplfeuaqirwyvlg"
                3⤵
                  PID:388
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dxptmevznvwplfeuaqirwyvlg"
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:420
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dxptmevznvwplfeuaqirwyvlg"
                  3⤵
                    PID:4704

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\ibwqltaelfmfylumav
                Filesize

                4KB

                MD5

                b1a407ed9778faba2aa43f92e4e85dca

                SHA1

                cb9c6835291dde8bf4227b3adafdc8e0ef07a4bb

                SHA256

                1d16f0d3fe199ac744b1305b95e04ed2fd8711ada610cfbe373a14ea301277f5

                SHA512

                7d9ca374f1d3464a9ba12c8a7708593e43eee2a7f2b7ac7cecf6fe36845d6407bc2938dddab63ee912a16dd70488ffeae6c4408e7c1e57457441c4a3243103ac

                Download Submit
              • C:\Users\Admin\AppData\Roaming\remcos\dtas.dat
                Filesize

                144B

                MD5

                b9cfbf2dda7def91fb980032575278fa

                SHA1

                ab5941251e71c2c32e460681ad8d41b1bfbeaf94

                SHA256

                1d08411059e744c73e7c53abd0d5be3f8d040ff0cbbb83ed747ea84c4477e00f

                SHA512

                b2e1537571b890ed576588a202530cced42c8e6d75ec5af137d61e3f17a39e273a941c4bc6d8f51af2f9c7a964acfe97cf8ad0d647eba3d76b0ca273517f8f8b

                Download Submit
              • memory/420-177-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/420-175-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/420-174-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/420-167-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/1556-160-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/1556-179-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/1556-166-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/1556-164-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/4488-159-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-184-0x0000000010000000-0x0000000010019000-memory.dmp
                Filesize

                100KB

                Download
              • memory/4488-212-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-146-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-148-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-149-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-151-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-152-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-153-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-154-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-155-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-156-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-157-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-211-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-204-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-203-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-196-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-195-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-188-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-187-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-186-0x0000000010000000-0x0000000010019000-memory.dmp
                Filesize

                100KB

                Download
              • memory/4488-185-0x0000000000400000-0x0000000000481000-memory.dmp
                Filesize

                516KB

                Download
              • memory/4488-181-0x0000000010000000-0x0000000010019000-memory.dmp
                Filesize

                100KB

                Download
              • memory/5072-142-0x00000000058A0000-0x00000000058B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5072-139-0x00000000058A0000-0x00000000058B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5072-145-0x00000000058A0000-0x00000000058B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5072-135-0x0000000005920000-0x00000000059B2000-memory.dmp
                Filesize

                584KB

                Download
              • memory/5072-141-0x00000000058A0000-0x00000000058B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5072-144-0x00000000058A0000-0x00000000058B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5072-133-0x0000000000060000-0x0000000000146000-memory.dmp
                Filesize

                920KB

                Download
              • memory/5072-134-0x0000000005E30000-0x00000000063D4000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/5072-136-0x00000000059C0000-0x0000000005A5C000-memory.dmp
                Filesize

                624KB

                Download
              • memory/5072-137-0x00000000058A0000-0x00000000058B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5072-140-0x00000000058A0000-0x00000000058B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5072-143-0x00000000058A0000-0x00000000058B0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5072-138-0x0000000005900000-0x000000000590A000-memory.dmp
                Filesize

                40KB

                Download
              • memory/5092-162-0x0000000000400000-0x0000000000457000-memory.dmp
                Filesize

                348KB

                Download
              • memory/5092-165-0x0000000000400000-0x0000000000457000-memory.dmp
                Filesize

                348KB

                Download
              • memory/5092-173-0x0000000000400000-0x0000000000457000-memory.dmp
                Filesize

                348KB

                Download
              • memory/5092-168-0x0000000000400000-0x0000000000457000-memory.dmp
                Filesize

                348KB

                Download