remcos | 99e559cde8a3871a1c1d045ff0f141d01aeff386c2798c127fdacdff6b193f17

General

Target

tmp.exe
Size

898KB
MD5

33108fe9d2b46a295190763ebb4083f7
SHA1

28926c7fd4b1271230a0cfcf2d193ef7cd08e17d
SHA256

99e559cde8a3871a1c1d045ff0f141d01aeff386c2798c127fdacdff6b193f17
SHA512

005060e50f1ddc3d721981fe433bd1a6ab9c4b57b965aa83aeab590220bd2a06aa93df25a59d5ed31e3947d85903c4910092632d27e79ad489d9af36d073458f
SSDEEP

12288:1epHyX2+Q6gmk12kka/ZzT9+CnHYNTQErfawt5IPzKi0:1epJHDskkKpT9hGZrfHtUzK

Score

10^/10

remcos remotehost collection rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

divdemoce.duckdns.org:35639

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
dtas.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-GZATCK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/5056-168-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/5056-174-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1676-167-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1676-177-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1676-179-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5056-168-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/1676-167-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1068-170-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1068-175-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5056-174-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/1676-177-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1676-179-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp.exeAddInProcess32.exe

description	pid	process	target process
PID 744 set thread context of 5048	744	tmp.exe	AddInProcess32.exe
PID 5048 set thread context of 1676	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 set thread context of 5056	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 set thread context of 1068	5048	AddInProcess32.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exe

pid	process
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe
744	tmp.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

AddInProcess32.exe

pid process

5048 AddInProcess32.exe
5048 AddInProcess32.exe
5048 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 744 tmp.exe
Token: SeDebugPrivilege 1068 AddInProcess32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

5048 AddInProcess32.exe

pid	process
5048	AddInProcess32.exe
5048	AddInProcess32.exe
5048	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	744	tmp.exe
Token: SeDebugPrivilege	1068	AddInProcess32.exe

pid	process
5048	AddInProcess32.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

tmp.exeAddInProcess32.exe

description	pid	process	target process
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 744 wrote to memory of 5048	744	tmp.exe	AddInProcess32.exe
PID 5048 wrote to memory of 1676	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 1676	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 1676	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 1676	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 5056	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 5056	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 5056	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 5056	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 1068	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 1068	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 1068	5048	AddInProcess32.exe	AddInProcess32.exe
PID 5048 wrote to memory of 1068	5048	AddInProcess32.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\gsszmbxzndvh"
3⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\qmfsntibblnuyex"
3⤵
- Accesses Microsoft Outlook accounts
PID:5056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\tolcnetvptfzbklbuqy"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gsszmbxzndvh
Filesize
4KB

MD5
da9a4a4b3869b633570f0328857ab308

SHA1
a28b700676caac92151465ee98f8db04d050a7cd

SHA256
54ab428ebf079d77ff4c770dbf0d7278b317b53b2d3efcf117f1b439c3b85677

SHA512
43ceb519348803f2b501d99f13f208605411fb0cc1dff85144890087669f9d3ef060757ba13a45d4049fc3218ca0e975686e703f914f51e04b6d859e7d060c38

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\dtas.dat
Filesize
144B

MD5
4cb8e34d152c519f4e374101353a9ac8

SHA1
cbd44acc970d4e43b333d17daef6c4136ec8f18a

SHA256
1e1853425125b6401047953057272c85bac9dd0374cad6ca97413836d3d59797

SHA512
b3900762ec90e79759a9f05156947a5832d9de5fecf727782f965ceb76dd3693c4bbbf6c5f6d725a3919c827da82f468bb42bd8a3521f7dfbc1d23360e103e74

Download Submit
memory/744-137-0x0000000002600000-0x000000000260A000-memory.dmp

Filesize
40KB

Download
memory/744-142-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/744-133-0x0000000000BE0000-0x0000000000CC6000-memory.dmp

Filesize
920KB

Download
memory/744-138-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/744-139-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/744-140-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/744-141-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/744-136-0x0000000004C20000-0x0000000004CBC000-memory.dmp

Filesize
624KB

Download
memory/744-143-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/744-144-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/744-135-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/744-134-0x0000000005330000-0x00000000058D4000-memory.dmp

Filesize
5.6MB

Download
memory/1068-175-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1068-170-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1068-169-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1068-162-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1676-159-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1676-164-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1676-179-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1676-177-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1676-167-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5048-186-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5048-147-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-152-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-208-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-207-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-158-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-200-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-151-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-150-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-148-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-199-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-155-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-181-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5048-184-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5048-185-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-154-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-145-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-191-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5048-192-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5056-174-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5056-166-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5056-168-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5056-160-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads