remcos | b447cfa88f6896a02d8aee885d8803b2cb0c61f0a5934d4017f372bb8bc3a2ca

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2023, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c0944dc238631d0847d2e9137e28dd0.exe
Size

354KB
MD5

9c0944dc238631d0847d2e9137e28dd0
SHA1

0bc7bc23ee378cbfd909251a99b7c0492ddbbb0e
SHA256

b447cfa88f6896a02d8aee885d8803b2cb0c61f0a5934d4017f372bb8bc3a2ca
SHA512

97d0944c6c250a3937b8028d144088763fea4d636a54719cb357fffa767196cae8fc97aebf5fa6931dcebed4e65d3672ce4e642777af72c5957a61c05ecc2e34
SSDEEP

6144:bhjmbz7D+yqLQeUCiKJZ1PrmG6E/nc3PrC2grR7DnK3qaW5Z1uX0rLvg:cDpxCiKrFiNE/ne2xljK3qDhA9

Score

10^/10

remcos chi'm collection persistence rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Botnet

Chi'm

unllin.com:3211

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GVMDL4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1256-39-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/1256-44-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4980-34-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4980-47-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral2/memory/4980-34-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1256-39-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3952-40-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1256-44-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3952-45-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4980-47-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

pid	Process
4464	amhsji.exe
4996	amhsji.exe
4980	amhsji.exe
1256	amhsji.exe
1120	amhsji.exe
3952	amhsji.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4996-8-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-10-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-12-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-14-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-13-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-15-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-16-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-17-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-18-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-19-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-20-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-22-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-56-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-57-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-59-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-60-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-61-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-62-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-63-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-64-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-65-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4996-66-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	amhsji.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbwg = "C:\\Users\\Admin\\AppData\\Roaming\\kktppxtd\\dmiir.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\amhsji.exe\" "	amhsji.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 4996	4464	amhsji.exe	90
PID 4996 set thread context of 4980	4996	amhsji.exe	92
PID 4996 set thread context of 1256	4996	amhsji.exe	93
PID 4996 set thread context of 3952	4996	amhsji.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4980	amhsji.exe
4980	amhsji.exe
3952	amhsji.exe
3952	amhsji.exe
4980	amhsji.exe
4980	amhsji.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4464	amhsji.exe
4996	amhsji.exe
4996	amhsji.exe
4996	amhsji.exe
4996	amhsji.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	amhsji.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4464	768	9c0944dc238631d0847d2e9137e28dd0.exe	89
PID 768 wrote to memory of 4464	768	9c0944dc238631d0847d2e9137e28dd0.exe	89
PID 768 wrote to memory of 4464	768	9c0944dc238631d0847d2e9137e28dd0.exe	89
PID 4464 wrote to memory of 4996	4464	amhsji.exe	90
PID 4464 wrote to memory of 4996	4464	amhsji.exe	90
PID 4464 wrote to memory of 4996	4464	amhsji.exe	90
PID 4464 wrote to memory of 4996	4464	amhsji.exe	90
PID 4996 wrote to memory of 4980	4996	amhsji.exe	92
PID 4996 wrote to memory of 4980	4996	amhsji.exe	92
PID 4996 wrote to memory of 4980	4996	amhsji.exe	92
PID 4996 wrote to memory of 4980	4996	amhsji.exe	92
PID 4996 wrote to memory of 1256	4996	amhsji.exe	93
PID 4996 wrote to memory of 1256	4996	amhsji.exe	93
PID 4996 wrote to memory of 1256	4996	amhsji.exe	93
PID 4996 wrote to memory of 1256	4996	amhsji.exe	93
PID 4996 wrote to memory of 1120	4996	amhsji.exe	95
PID 4996 wrote to memory of 1120	4996	amhsji.exe	95
PID 4996 wrote to memory of 1120	4996	amhsji.exe	95
PID 4996 wrote to memory of 3952	4996	amhsji.exe	94
PID 4996 wrote to memory of 3952	4996	amhsji.exe	94
PID 4996 wrote to memory of 3952	4996	amhsji.exe	94
PID 4996 wrote to memory of 3952	4996	amhsji.exe	94

C:\Users\Admin\AppData\Local\Temp\9c0944dc238631d0847d2e9137e28dd0.exe
"C:\Users\Admin\AppData\Local\Temp\9c0944dc238631d0847d2e9137e28dd0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\amhsji.exe
  "C:\Users\Admin\AppData\Local\Temp\amhsji.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\amhsji.exe
    "C:\Users\Admin\AppData\Local\Temp\amhsji.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\amhsji.exe
      C:\Users\Admin\AppData\Local\Temp\amhsji.exe /stext "C:\Users\Admin\AppData\Local\Temp\shjpoav"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\amhsji.exe
      C:\Users\Admin\AppData\Local\Temp\amhsji.exe /stext "C:\Users\Admin\AppData\Local\Temp\cjoipsgjpib"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\amhsji.exe
      C:\Users\Admin\AppData\Local\Temp\amhsji.exe /stext "C:\Users\Admin\AppData\Local\Temp\fdcbqlyklqtdac"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\amhsji.exe
      C:\Users\Admin\AppData\Local\Temp\amhsji.exe /stext "C:\Users\Admin\AppData\Local\Temp\fdcbqlyklqtdac"
      4⤵
      Executes dropped EXE
      PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amhsji.exe

Filesize
158KB

MD5
f4b40538056902aa7d6f206be518ffa7

SHA1
93188fc7755b282c8efa46fd428147d67567f76f

SHA256
bf56add609e397a7b147c59c7e70551996070321b8244a9c41b2cfff5ba62d28

SHA512
bdd6aac3cb255b39f931fbeb1c2e3ccd7c30d57b8be6cd8ee83bb9dc1ad55a767bce615d2171e7690350d25623a4899e0cf7f15e1cfb44d3a80f80ec4756f235

Download Submit
C:\Users\Admin\AppData\Local\Temp\shjpoav

Filesize
4KB

MD5
b4329339750e86291d8a7191b0dc7955

SHA1
a125e8cf6fec1b6fd003139495a37d68f020254f

SHA256
85e5e57100dde581ff37dcd80cbe55643328aaa6518b265ceb788d21ba9d0695

SHA512
9bd5d6ae3feca8eaa03a1c3c147fc98aebca41aea976b1deeb9ae158cd4acfbdd45244a727c071a604fed12dcadc568462777597758532c42d28ec480bfc6054

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvmwqjrtws.j

Filesize
253KB

MD5
0e34fcbf8aa4b56670d2196edfae0ce6

SHA1
a48b299c210958f47fbffcb9060161d5b1475d52

SHA256
d01291189967806ef88dff09df81821f5cc6249d6e6a9ec0fba8be48339963e2

SHA512
f93d9836aea57303bfa8ae0801d59a41c4fb147219240d1f0118e22226448bc5584605b25e1bbbcf45379b35053073c25a595e70228fb2367d37f619170ac0d6

Download Submit
memory/1256-39-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1256-44-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1256-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1256-26-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3952-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3952-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3952-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3952-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4464-5-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/4980-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4980-34-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4980-30-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4980-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4996-18-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-52-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4996-20-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-19-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-17-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-16-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-15-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-13-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-14-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-12-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-10-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-49-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4996-22-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-54-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4996-53-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4996-55-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4996-56-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-57-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-58-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4996-59-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-60-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-61-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-62-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-63-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-64-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-65-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4996-66-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download