remcos | f46ee18e0870d531035d06e0e081a30ba1cf00949534adc595c054c0de93269d

Analysis

max time kernel
173s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e503c242a09bc206666cdc1078d3a3e.exe
Size

1024.0MB
MD5

4ffa95f68a6c94b75a0ce7470bec1156
SHA1

f8c649d9017cc4cced5b920dc70ce1f60c2a9d12
SHA256

8fefc21e856b0bac0bf570b1693f5a1e3b79d41e0d4e22b9d07823808bee3a30
SHA512

fb015684141241c7e104c54d4328d2c4a750e913e4c01f23963c351a1fb56affd7f70bee4cfcda7d9ddc00ddc6c09123e50f62a7eba472ce801d21d8b5e8e19a
SSDEEP

12288:CPLYpYCQEfqDhEtMQcgwGQcRY38eO/Prg+cS9WJO5oABbJ4xmIF0:TnQEwjbzL38x/vc+Ww7J4xbF0

Score

10^/10

remcos monnono collection rat

Malware Config

Extracted

Family

remcos

Botnet

MONNONO

kdhviusdhiuduidhn.con-ip.com:1998

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CL1Y48
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1200-57-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1200-62-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/548-59-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/548-60-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/548-69-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/548-59-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/348-61-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/548-60-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1200-57-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1200-62-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/348-63-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/548-69-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AppLaunch.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 2208 set thread context of 548	2208	AppLaunch.exe	114
PID 2208 set thread context of 1200	2208	AppLaunch.exe	115
PID 2208 set thread context of 348	2208	AppLaunch.exe	118

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
548	AppLaunch.exe
548	AppLaunch.exe
348	AppLaunch.exe
348	AppLaunch.exe
548	AppLaunch.exe
548	AppLaunch.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2208	AppLaunch.exe
2208	AppLaunch.exe
2208	AppLaunch.exe
2208	AppLaunch.exe
2208	AppLaunch.exe
2208	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2208	AppLaunch.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 2208	1580	1e503c242a09bc206666cdc1078d3a3e.exe	97
PID 1580 wrote to memory of 3328	1580	1e503c242a09bc206666cdc1078d3a3e.exe	99
PID 1580 wrote to memory of 3328	1580	1e503c242a09bc206666cdc1078d3a3e.exe	99
PID 1580 wrote to memory of 3328	1580	1e503c242a09bc206666cdc1078d3a3e.exe	99
PID 1580 wrote to memory of 4564	1580	1e503c242a09bc206666cdc1078d3a3e.exe	101
PID 1580 wrote to memory of 4564	1580	1e503c242a09bc206666cdc1078d3a3e.exe	101
PID 1580 wrote to memory of 4564	1580	1e503c242a09bc206666cdc1078d3a3e.exe	101
PID 4564 wrote to memory of 5024	4564	cmd.exe	103
PID 4564 wrote to memory of 5024	4564	cmd.exe	103
PID 4564 wrote to memory of 5024	4564	cmd.exe	103
PID 1580 wrote to memory of 2156	1580	1e503c242a09bc206666cdc1078d3a3e.exe	104
PID 1580 wrote to memory of 2156	1580	1e503c242a09bc206666cdc1078d3a3e.exe	104
PID 1580 wrote to memory of 2156	1580	1e503c242a09bc206666cdc1078d3a3e.exe	104
PID 2208 wrote to memory of 1184	2208	AppLaunch.exe	113
PID 2208 wrote to memory of 1184	2208	AppLaunch.exe	113
PID 2208 wrote to memory of 1184	2208	AppLaunch.exe	113
PID 2208 wrote to memory of 548	2208	AppLaunch.exe	114
PID 2208 wrote to memory of 548	2208	AppLaunch.exe	114
PID 2208 wrote to memory of 548	2208	AppLaunch.exe	114
PID 2208 wrote to memory of 548	2208	AppLaunch.exe	114
PID 2208 wrote to memory of 1200	2208	AppLaunch.exe	115
PID 2208 wrote to memory of 1200	2208	AppLaunch.exe	115
PID 2208 wrote to memory of 1200	2208	AppLaunch.exe	115
PID 2208 wrote to memory of 1200	2208	AppLaunch.exe	115
PID 2208 wrote to memory of 1720	2208	AppLaunch.exe	116
PID 2208 wrote to memory of 1720	2208	AppLaunch.exe	116
PID 2208 wrote to memory of 1720	2208	AppLaunch.exe	116
PID 2208 wrote to memory of 668	2208	AppLaunch.exe	117
PID 2208 wrote to memory of 668	2208	AppLaunch.exe	117
PID 2208 wrote to memory of 668	2208	AppLaunch.exe	117
PID 2208 wrote to memory of 348	2208	AppLaunch.exe	118
PID 2208 wrote to memory of 348	2208	AppLaunch.exe	118
PID 2208 wrote to memory of 348	2208	AppLaunch.exe	118
PID 2208 wrote to memory of 348	2208	AppLaunch.exe	118

C:\Users\Admin\AppData\Local\Temp\1e503c242a09bc206666cdc1078d3a3e.exe
"C:\Users\Admin\AppData\Local\Temp\1e503c242a09bc206666cdc1078d3a3e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\wuncrjwmifvnaadraapwtwtncmehlszfp"
    3⤵
    PID:1184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\wuncrjwmifvnaadraapwtwtncmehlszfp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\hpsvr"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\jrynstsh"
    3⤵
    PID:1720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\jrynstsh"
    3⤵
    PID:668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe /stext "C:\Users\Admin\AppData\Local\Temp\jrynstsh"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  PID:3328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\1e503c242a09bc206666cdc1078d3a3e.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
4c3cbe46a75794aedf814e653b816dd5

SHA1
5e7d87fbcde9529a271ae49d7827a611c08129c4

SHA256
b9fce8b5445eaccae9fbabf37e2463980889ab33c78e7917b915477da1879fdb

SHA512
b51e4a832b1a3a2516bef66d249f327259106f3d42eaaead4d03b0c2a07dcdd0ac0d28a3e078d64631fbfb1d3788e64cb3296fd65fe2dab7a4b57c70831fb36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuncrjwmifvnaadraapwtwtncmehlszfp

Filesize
4KB

MD5
fc8ceff5210efa58594c67ed8f49a824

SHA1
dba98c98becbdf81f623cdca6cd0a993022fe6cd

SHA256
778b7d5b90428961459c82e9881fe0fece78424d6301eb0720a96f100511f599

SHA512
c3b24fe5f5ba39174528ffc05544da6f22ac6aef2cac923ad139c0d044989873e004f9f5018cc0cc6847b5878f5aee96d6de823c860ac54a0fc67ff8d2d89cd1

Download Submit
memory/348-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/348-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/348-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/348-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/548-69-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/548-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/548-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/548-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/548-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1200-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1200-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1200-49-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1200-53-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1580-1-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/1580-3-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/1580-0-0x0000000000A10000-0x0000000000AA8000-memory.dmp

Filesize
608KB

Download
memory/1580-2-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/1580-21-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/2208-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-71-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2208-74-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2208-75-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2208-76-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2208-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-84-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2208-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2208-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download