remcos | bd38a2cf3de117e4a0373e10c6d9f26277c1905b93c0560d210b6392c3d6f46a

Analysis

max time kernel
161s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FG98765678000.exe
Size

656KB
MD5

0058da743288cb67e15afbfcb0ab6e1a
SHA1

99cde8486c006b735d1d5111d493303291a847fb
SHA256

412c4f354965eb514a79001b512c70e8d36e1d443fe599aca0916893eab369ef
SHA512

b0cb8a7279ad0e8e49b8b84738e009e93cc2e1e02a909ac88d929a374ff1e6aaa470c5226fcfe24969b4993a7d989a36432d948e1516635e32a1a79d1c06a966
SSDEEP

12288:RaoPTJIU4nr5Kfe8tNCqrKgj65I9ra/Q/fGHAW3A79hRff/aY:RDPFv4nVB8tNCqmgj6Ua/Q/fL97f6Y

Score

10^/10

remcos dollar collection persistence rat

Malware Config

Extracted

Family

remcos

Botnet

DOLLAR

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UZXQ9B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1708-45-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/1708-55-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/1708-49-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/964-48-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/964-58-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/1708-45-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/964-48-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4292-50-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1708-55-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/4292-51-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1708-49-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/4292-56-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/964-58-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
4476	deaegyz.exe
4216	deaegyz.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	iexplore.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttdyhqmvrbkg = "C:\\Users\\Admin\\AppData\\Roaming\\yudmiibbwgcluq\\jjfo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\deaegyz.exe\" "	deaegyz.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4476 set thread context of 4216	4476	deaegyz.exe	91
PID 4216 set thread context of 4936	4216	deaegyz.exe	93
PID 4936 set thread context of 3060	4936	iexplore.exe	95
PID 3060 set thread context of 964	3060	iexplore.exe	99
PID 3060 set thread context of 1708	3060	iexplore.exe	100
PID 3060 set thread context of 4292	3060	iexplore.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
964	iexplore.exe
964	iexplore.exe
4292	iexplore.exe
4292	iexplore.exe
964	iexplore.exe
964	iexplore.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4476	deaegyz.exe
4216	deaegyz.exe
4216	deaegyz.exe
4936	iexplore.exe
4936	iexplore.exe
3060	iexplore.exe
3060	iexplore.exe
3060	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3060	iexplore.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4476	4440	FG98765678000.exe	88
PID 4440 wrote to memory of 4476	4440	FG98765678000.exe	88
PID 4440 wrote to memory of 4476	4440	FG98765678000.exe	88
PID 4476 wrote to memory of 4216	4476	deaegyz.exe	91
PID 4476 wrote to memory of 4216	4476	deaegyz.exe	91
PID 4476 wrote to memory of 4216	4476	deaegyz.exe	91
PID 4476 wrote to memory of 4216	4476	deaegyz.exe	91
PID 4216 wrote to memory of 1416	4216	deaegyz.exe	92
PID 4216 wrote to memory of 1416	4216	deaegyz.exe	92
PID 4216 wrote to memory of 1416	4216	deaegyz.exe	92
PID 4216 wrote to memory of 4936	4216	deaegyz.exe	93
PID 4216 wrote to memory of 4936	4216	deaegyz.exe	93
PID 4216 wrote to memory of 4936	4216	deaegyz.exe	93
PID 4216 wrote to memory of 4936	4216	deaegyz.exe	93
PID 4936 wrote to memory of 4816	4936	iexplore.exe	96
PID 4936 wrote to memory of 4816	4936	iexplore.exe	96
PID 4936 wrote to memory of 4816	4936	iexplore.exe	96
PID 4936 wrote to memory of 3060	4936	iexplore.exe	95
PID 4936 wrote to memory of 3060	4936	iexplore.exe	95
PID 4936 wrote to memory of 3060	4936	iexplore.exe	95
PID 4936 wrote to memory of 3060	4936	iexplore.exe	95
PID 3060 wrote to memory of 964	3060	iexplore.exe	99
PID 3060 wrote to memory of 964	3060	iexplore.exe	99
PID 3060 wrote to memory of 964	3060	iexplore.exe	99
PID 3060 wrote to memory of 964	3060	iexplore.exe	99
PID 3060 wrote to memory of 1708	3060	iexplore.exe	100
PID 3060 wrote to memory of 1708	3060	iexplore.exe	100
PID 3060 wrote to memory of 1708	3060	iexplore.exe	100
PID 3060 wrote to memory of 1708	3060	iexplore.exe	100
PID 3060 wrote to memory of 4292	3060	iexplore.exe	101
PID 3060 wrote to memory of 4292	3060	iexplore.exe	101
PID 3060 wrote to memory of 4292	3060	iexplore.exe	101
PID 3060 wrote to memory of 4292	3060	iexplore.exe	101

C:\Users\Admin\AppData\Local\Temp\FG98765678000.exe
"C:\Users\Admin\AppData\Local\Temp\FG98765678000.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
  "C:\Users\Admin\AppData\Local\Temp\deaegyz.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
    "C:\Users\Admin\AppData\Local\Temp\deaegyz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      PID:1416
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4936
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fwfepktmap"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pysxqdefoxjab"
        6⤵
        Accesses Microsoft Outlook accounts
        
        PID:1708
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ssxpjvohkfbfelte"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
d87eaa2b39b4b752cd82741407c37646

SHA1
2070eccd38fb51112842f65fd188c98bd2739a19

SHA256
d55c8630018f8cb2e21046df0725afc1a07b4ce474bfcffe1834ef12b9f55c64

SHA512
1b502866ae2fc9a4da16b7f5729173a8917aae9881405288896143ee4eb4f9d74642ac1f239b2d8a2d177708f56a0565d412c17a1bfaf57a1d52732c57caa641

Download Submit
C:\Users\Admin\AppData\Local\Temp\deaegyz.exe

Filesize
478KB

MD5
49900e1a853294ac5e03deb77c041e08

SHA1
0c5b28c9caa6597dd4112772e973faad121aff55

SHA256
148662d819b02305d0eb2c78630e218985ce18529a3729ca1aa4d8926b75e5af

SHA512
34cb6dce4838bf1b6524e24082f133ceab731198f20af3296ae2103fbaf56e0940164208f17d7bf2593181ade88dd042e29e2fd44d5f4b929606013543b5daf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\deaegyz.exe

Filesize
284KB

MD5
8ffae17b71d62ccd291586f0920662c7

SHA1
adb29f165ab38f4caf9843fc57601ef2cc391009

SHA256
f3b0c50cd68ff6e1467084a1d1cd44f36ec04897fe1be6147510fd4298971b1c

SHA512
9e8ed2b694390d94f82a2b55f247587087533b46b68d3fe067a0f93dcf518d4e4e9c63f4f60ee155f8c127e86add39a598313527aeec0b74c95b59c4c90eb5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\deaegyz.exe

Filesize
318KB

MD5
dc6cfeb0c5d46ed30a89c696956d754b

SHA1
cd51c8bf60d6d228e2a1656afb1332373d3a6b5b

SHA256
83764324ceee4eb07a327672eb57ebd2c2505cc60814a56377b7cd3a88b167de

SHA512
cff970f06a9d50464b752d29f2cc8478f8689edc74c9a209390e0e1432e9d69f3481e24a0ea9ccb965f9f9f25197d977e285f0b792357db8cc49f4b2494bae0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwfepktmap

Filesize
4KB

MD5
fdaa8866c905accc6ed1cb0f204b0f2c

SHA1
cf3a1f2d3841e3d52f3875df2bc1ff667ba8c774

SHA256
96db24a652541fb09e22d3dc23495c0475a4dbd2bd2dd6bb4d2aa98b1ae591ad

SHA512
02fae866918ca0250be91c2b85baf1a65d5cb295e6f995f0814c0a20ad1192a78f44b8a456bf1b52c9e202d523e7685157cbd2930bec483481463b7926309f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\midxwnqijin.ekx

Filesize
502KB

MD5
7d70dc74b5036e3ff3def409ea47f343

SHA1
28bbf40d20d3584e242f457656e21366fc224566

SHA256
320e5916c90f41b7405e1be314e9abbbe9fd3177874bbaf9748cc7261e794427

SHA512
9556bee30d7f45c94bb25443e4bf0ddfeda9e245fc6b95de6a03e17d11061956e132cbc8774c825b0197f9df4e12f300d406fb3007ce5f1374099b6036205160

Download Submit
memory/964-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/964-37-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/964-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/964-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1708-42-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1708-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1708-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1708-45-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1708-38-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3060-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-63-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3060-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-73-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3060-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3060-64-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3060-65-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3060-60-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3060-66-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3060-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4216-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4216-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4216-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4216-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4216-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4292-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4292-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4292-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4292-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4292-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4476-5-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/4936-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4936-17-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4936-18-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4936-19-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download