remcos | 1ff5b92150d20622dd9e690c0f2e0e6bfb9d547a22ebe4414f619667380a3d73

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/08/2023, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
Size

232KB
MD5

4cc8305c3872eece74306734857cbe6c
SHA1

5a37e53e9b9848a08b9d141969f1479d7358845d
SHA256

a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c
SHA512

90631422dc22099872f6b246b750c7a69256129ae29e6cb726c5a15ac189f045ff7d331ce80a2f0aa0b2c4a2aaf175f377ec8b3d45d0bc7d5fbdcddc23d6c0f9
SSDEEP

6144:avGSN9gWuLpcBKnVBYAsmrzpyDfOXXV1BYj:avbGWulcBKV3uOXKj

Score

10^/10

remcos wytaugust rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Botnet

wytAUgust

exbanebiec.duckdns.org:9596

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-SDMP35
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2832-69-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/2832-92-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/3008-67-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/3008-70-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/3008-82-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral1/memory/3008-67-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2832-69-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/3008-70-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2940-74-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2940-76-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/3008-82-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2832-92-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-54-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-56-0x0000000003970000-0x00000000039F9000-memory.dmp	upx
behavioral1/memory/1700-85-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-95-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-99-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-102-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-105-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-108-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-111-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-114-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-117-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-120-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-123-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-126-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-129-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-131-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/1700-135-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 3008	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	28
PID 1700 set thread context of 2832	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	29
PID 1700 set thread context of 2940	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
3008	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3008	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	28
PID 1700 wrote to memory of 3008	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	28
PID 1700 wrote to memory of 3008	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	28
PID 1700 wrote to memory of 3008	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	28
PID 1700 wrote to memory of 2832	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	29
PID 1700 wrote to memory of 2832	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	29
PID 1700 wrote to memory of 2832	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	29
PID 1700 wrote to memory of 2832	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	29
PID 1700 wrote to memory of 2940	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	30
PID 1700 wrote to memory of 2940	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	30
PID 1700 wrote to memory of 2940	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	30
PID 1700 wrote to memory of 2940	1700	a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe	30

C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
"C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
  C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe /stext "C:\Users\Admin\AppData\Local\Temp\hlfrayxjcaygaflekolee"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
  C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe /stext "C:\Users\Admin\AppData\Local\Temp\knkjbqilqirlklhqtzggpabj"
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe
  C:\Users\Admin\AppData\Local\Temp\a2b750b127b533b54c4525eecfeb98f20a9923ed0e39cafbc60280dae6faec6c.exe /stext "C:\Users\Admin\AppData\Local\Temp\uhpcbjtedqjqnavukktzsfvsqnv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
92f9860a9d1284945f5e79259f20df13

SHA1
e5dd7c8e9cf814b48c889db66ccb3e092574eacf

SHA256
9843f227cb4931aa327e8918664437e54757d01292d2181f14900b8495293edc

SHA512
cf23077236c97afc2bc61a1f19d3e80a031d6a2f23dddf52e8d0bbb658a5e38671ffe85a9e0f20624883058393a5aa9df021ffa4b7ea81048a4a9ea4f4403e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlfrayxjcaygaflekolee

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1700-86-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1700-114-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-135-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-131-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-129-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-93-0x0000000003970000-0x00000000039F9000-memory.dmp

Filesize
548KB

Download
memory/1700-126-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-64-0x00000000039F0000-0x0000000003A79000-memory.dmp

Filesize
548KB

Download
memory/1700-123-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-120-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-117-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-99-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-111-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-108-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-105-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-85-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-54-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-90-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1700-102-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-89-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1700-56-0x0000000003970000-0x00000000039F9000-memory.dmp

Filesize
548KB

Download
memory/1700-95-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-97-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2832-92-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-69-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-58-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-63-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2940-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-75-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/2940-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-72-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3008-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3008-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download