remcos | 6cdd7bda126433118105c02651645c57bd7d360eddfb7bd98e7f0d12a7de3d9c

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OverdriveNTool 0.2.9/OverdriveNTool.exe
Size

3.0MB
MD5

9c87113fd09d6f77d5b0922e59f8db79
SHA1

43b2803ecb7a5d7b68b00e64396a711dab0ac583
SHA256

cdbf7b4c4ff081fc453f084ad7487c75adcc35a0052f5c197dbadbe22f055cee
SHA512

5e72fd0d49f98f356e8581208535bae49fee8d4919eeedf80d52df46e5f50e940f67fe411d582551e70a9f9838f5f2db42b61c2cb88e3bccc77ecb575899eb83
SSDEEP

49152:OEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVjHX3338w:O92bz2Eb6pd7B6bAGx7F33333

Score

10^/10

remcos support8007 rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Support8007

5.61.53.75:8007

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
ms
keylog_path
ApplicationPath
mouse_option
false
mutex
-VU4P5D
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	2732	cmd.exe
3	2732	cmd.exe
4	2732	cmd.exe
5	2732	cmd.exe
6	2732	cmd.exe
7	2732	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2096	OverdriveNTool.exe
2724	java.exe

Loads dropped DLL 3 IoCs

pid	Process
1612	OverdriveNTool.exe
1612	OverdriveNTool.exe
2724	java.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\java.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1612	OverdriveNTool.exe
1612	OverdriveNTool.exe
2724	java.exe
2724	java.exe
2728	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2096	OverdriveNTool.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2728	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1612	OverdriveNTool.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1612	2080	OverdriveNTool.exe	28
PID 2080 wrote to memory of 1612	2080	OverdriveNTool.exe	28
PID 2080 wrote to memory of 1612	2080	OverdriveNTool.exe	28
PID 2080 wrote to memory of 1612	2080	OverdriveNTool.exe	28
PID 2080 wrote to memory of 1612	2080	OverdriveNTool.exe	28
PID 2080 wrote to memory of 1612	2080	OverdriveNTool.exe	28
PID 2080 wrote to memory of 1612	2080	OverdriveNTool.exe	28
PID 1612 wrote to memory of 2096	1612	OverdriveNTool.exe	29
PID 1612 wrote to memory of 2096	1612	OverdriveNTool.exe	29
PID 1612 wrote to memory of 2096	1612	OverdriveNTool.exe	29
PID 1612 wrote to memory of 2096	1612	OverdriveNTool.exe	29
PID 1612 wrote to memory of 2724	1612	OverdriveNTool.exe	30
PID 1612 wrote to memory of 2724	1612	OverdriveNTool.exe	30
PID 1612 wrote to memory of 2724	1612	OverdriveNTool.exe	30
PID 1612 wrote to memory of 2724	1612	OverdriveNTool.exe	30
PID 1612 wrote to memory of 2724	1612	OverdriveNTool.exe	30
PID 1612 wrote to memory of 2724	1612	OverdriveNTool.exe	30
PID 1612 wrote to memory of 2724	1612	OverdriveNTool.exe	30
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2724 wrote to memory of 2728	2724	java.exe	31
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33
PID 2728 wrote to memory of 2732	2728	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\OverdriveNTool 0.2.9\OverdriveNTool.exe
"C:\Users\Admin\AppData\Local\Temp\OverdriveNTool 0.2.9\OverdriveNTool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\OverdriveNTool 0.2.9\OverdriveNTool.exe
  "C:\Users\Admin\AppData\Local\Temp\OverdriveNTool 0.2.9\OverdriveNTool.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Roaming\Overtoolr\OverdriveNTool.exe
    "C:\Users\Admin\AppData\Roaming\Overtoolr\OverdriveNTool.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2096
- - C:\Users\Admin\AppData\Roaming\Overtoolr\java.exe
    "C:\Users\Admin\AppData\Roaming\Overtoolr\java.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Overtoolr\MSVCR100.dll

Filesize
755KB

MD5
a60e97e705e254c7b49c500475c2efc8

SHA1
7ba79e9c5a25540bc75fb93e285eebe4aadcf10f

SHA256
9e0cdf9d09ffc68eb73818f86dd2d8cbd807e04209ba95e9ca3408a75ce43e65

SHA512
adb2b16c38264a18ab1714c1b655f7848d3a22abbf66d23f6d011a852e09e815399ae74d56e5645d09fc6977621a3e9954ccc88dcdfee5b44ee548f88450d5b2

Download Submit
C:\Users\Admin\AppData\Roaming\Overtoolr\OverdriveNTool.exe

Filesize
3.3MB

MD5
9d0b0d3ce4b1479ee0ad3ab659691dc9

SHA1
2a7d5add5ade9dbc7b03ab6e28b9085d14579c2e

SHA256
0856dd07f6efa48729888ba519e2a3fd4eaa37de3463eb7bc838e45d2b5790e6

SHA512
d69235d2e426f4e82337110a3795833e94ef362ffa27c10fd1a4febbc0422038c7d29064da064d565f59532a9a22c6487dc3be595753ea7bd920214cc4f591b9

Download Submit
C:\Users\Admin\AppData\Roaming\Overtoolr\java.exe

Filesize
56KB

MD5
95e3593ca9a3ce84ecb40b727fdd3234

SHA1
e387efa1b3580ea075fa637e19c388df7a330d3d

SHA256
ea195e495e6be1e4ae4bdea1a269317d9879a34646a4e34f13af97bf7f8c14da

SHA512
87ff1ac9e2943b2e4a5248df738e5d01fede02384b3f3523584f7059860e036355dd87f6a376eadd3c79478083439e56c0974012157e2106eff7dc5f668e5cc6

Download Submit
C:\Users\Admin\AppData\Roaming\Overtoolr\java.exe

Filesize
56KB

MD5
95e3593ca9a3ce84ecb40b727fdd3234

SHA1
e387efa1b3580ea075fa637e19c388df7a330d3d

SHA256
ea195e495e6be1e4ae4bdea1a269317d9879a34646a4e34f13af97bf7f8c14da

SHA512
87ff1ac9e2943b2e4a5248df738e5d01fede02384b3f3523584f7059860e036355dd87f6a376eadd3c79478083439e56c0974012157e2106eff7dc5f668e5cc6

Download Submit
C:\Users\Admin\AppData\Roaming\Overtoolr\time.ini

Filesize
10B

MD5
5b6856f38d73e8a6ec5e72e3360881cf

SHA1
f392351066ecf2ad094cf2eefbd7ac778771358e

SHA256
b64e112d002d4d5d13209bef618c81d7d77fb24c5e9de1531d09b71f19ae268e

SHA512
29df2f6d3d421fd71170b1f6c47428f9456d85b686fe2f9b56b009c04b6b9a52e4b7430279bf387625b1f2492e913c8502fd22622c285ae9a0c0ec50e6dedf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Overtoolr\time.wav

Filesize
36KB

MD5
97f3e1b54533434df8fdc12740d654a3

SHA1
32a1493393301baa518ab88acc9deaabcec71450

SHA256
54450c269d37c64b1cf66e8a48611bff1e766ba2700d5af9230c62463ce5b2a2

SHA512
5498d84e19323d418caf67a5e1bb3426955de8ed8854f281ce720070c2d500314629d770cc8441a830cfe2d8e80c97a571047568a83e39ae0be48bc065508b7c

Download Submit
C:\Users\Admin\AppData\Roaming\Overtoolr\yqvoOF.png

Filesize
1011KB

MD5
050eb14aa02e022c147d5b9f19abfc8b

SHA1
28b2d7405c864fc9cfb5e1cf05e899b80d8f73a1

SHA256
811beb74801eb2177c3d247c0854fbc4bfd41b920cf8c467aca229390dccfac0

SHA512
29ca8399163c3d42313028d5fa0b3632198c13cee71fe9a85201ee4cd46060d8a581e23bddad9fa3c38692d2e06b105a4f3fbc95ad7c19760bcf033566f5d678

Download Submit
\Users\Admin\AppData\Roaming\Overtoolr\OverdriveNTool.exe

Filesize
3.3MB

MD5
9d0b0d3ce4b1479ee0ad3ab659691dc9

SHA1
2a7d5add5ade9dbc7b03ab6e28b9085d14579c2e

SHA256
0856dd07f6efa48729888ba519e2a3fd4eaa37de3463eb7bc838e45d2b5790e6

SHA512
d69235d2e426f4e82337110a3795833e94ef362ffa27c10fd1a4febbc0422038c7d29064da064d565f59532a9a22c6487dc3be595753ea7bd920214cc4f591b9

Download Submit
\Users\Admin\AppData\Roaming\Overtoolr\java.exe

Filesize
56KB

MD5
95e3593ca9a3ce84ecb40b727fdd3234

SHA1
e387efa1b3580ea075fa637e19c388df7a330d3d

SHA256
ea195e495e6be1e4ae4bdea1a269317d9879a34646a4e34f13af97bf7f8c14da

SHA512
87ff1ac9e2943b2e4a5248df738e5d01fede02384b3f3523584f7059860e036355dd87f6a376eadd3c79478083439e56c0974012157e2106eff7dc5f668e5cc6

Download Submit
\Users\Admin\AppData\Roaming\Overtoolr\msvcr100.dll

Filesize
755KB

MD5
a60e97e705e254c7b49c500475c2efc8

SHA1
7ba79e9c5a25540bc75fb93e285eebe4aadcf10f

SHA256
9e0cdf9d09ffc68eb73818f86dd2d8cbd807e04209ba95e9ca3408a75ce43e65

SHA512
adb2b16c38264a18ab1714c1b655f7848d3a22abbf66d23f6d011a852e09e815399ae74d56e5645d09fc6977621a3e9954ccc88dcdfee5b44ee548f88450d5b2

Download Submit
memory/1612-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1612-28-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/2080-3-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/2080-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2096-29-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2096-51-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/2096-50-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2724-35-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2728-41-0x0000000005800000-0x0000000005960000-memory.dmp

Filesize
1.4MB

Download
memory/2728-40-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2728-42-0x0000000076F50000-0x00000000770F9000-memory.dmp

Filesize
1.7MB

Download
memory/2728-36-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2728-49-0x0000000005800000-0x0000000005960000-memory.dmp

Filesize
1.4MB

Download
memory/2732-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-52-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-60-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-43-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download
memory/2732-44-0x0000000076F50000-0x00000000770F9000-memory.dmp

Filesize
1.7MB

Download
memory/2732-68-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-70-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-72-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-74-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-80-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2732-82-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download