remcos | fb7e3e941caa92ea4f931356a638868f2e355c65c19cd3c49bd1c00b09a9907b

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order Specifications 2024.exe
Size

891KB
MD5

365611c6c550f6b4d41e017b7f658975
SHA1

b31644d9fb613abfcb0bf7a801db77b4d7fd7ec9
SHA256

f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af
SHA512

6393bd06d1ea7faaccc85469f6b87aaab102064c8871f6ea8c33ea5434d822ddbd59157e50def89219ee0d3ebe09d34423dfc5d23f337b42a134422d71c3f721
SSDEEP

24576:Ig5HJmx9NoiP7+J7v8Dlco1AtasmkDu13xXD7:1Jmx/7zYv8BJ4a1kq1R7

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

paygateme.net:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WTDTSU
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/940-65-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/940-79-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/796-62-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/796-75-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/796-62-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/940-65-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2460-69-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2460-70-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/796-75-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/940-79-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

Purchase Order Specifications 2024.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Purchase Order Specifications 2024.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Purchase Order Specifications 2024.exePurchase Order Specifications 2024.exe

description	pid	process	target process
PID 2216 set thread context of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 set thread context of 796	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 set thread context of 940	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 set thread context of 2460	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2064 schtasks.exe

pid	process
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Purchase Order Specifications 2024.exepowershell.exePurchase Order Specifications 2024.exe

pid	process
2216	Purchase Order Specifications 2024.exe
2216	Purchase Order Specifications 2024.exe
2216	Purchase Order Specifications 2024.exe
2216	Purchase Order Specifications 2024.exe
2216	Purchase Order Specifications 2024.exe
2216	Purchase Order Specifications 2024.exe
2216	Purchase Order Specifications 2024.exe
2524	powershell.exe
796	Purchase Order Specifications 2024.exe
796	Purchase Order Specifications 2024.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Purchase Order Specifications 2024.exe

pid process

2604 Purchase Order Specifications 2024.exe
2604 Purchase Order Specifications 2024.exe
2604 Purchase Order Specifications 2024.exe

pid	process
2604	Purchase Order Specifications 2024.exe
2604	Purchase Order Specifications 2024.exe
2604	Purchase Order Specifications 2024.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Purchase Order Specifications 2024.exepowershell.exePurchase Order Specifications 2024.exe

description	pid	process
Token: SeDebugPrivilege	2216	Purchase Order Specifications 2024.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2460	Purchase Order Specifications 2024.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Purchase Order Specifications 2024.exe

pid process

2604 Purchase Order Specifications 2024.exe

pid	process
2604	Purchase Order Specifications 2024.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Purchase Order Specifications 2024.exePurchase Order Specifications 2024.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FCsxaE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCsxaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC764.tmp"
2⤵
- Creates scheduled task(s)
PID:2064

C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rgdwhkpoipg"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\caipidzhwxyyutf"
3⤵
- Accesses Microsoft Outlook accounts
PID:940

C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mcnzivkjkfqlwztpmx"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
c0215fc9208989cfde89c119aa5922de

SHA1
507af0de86430e56fee3213cc10d69078353167a

SHA256
f3ccec3893dd965672c4e9d22ddcd450b95a545f8c0b707f44dd20faef8d6b94

SHA512
ba4eedbcac04ba3c34f1a3137a5992d02aa2f95edef3024dd755fb2ecc2cdf84e2adb6b664111d648ed3ea8cecc077cc0a42cfb49fcf1152b8ad3c0e02b504af

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgdwhkpoipg
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC764.tmp
Filesize
1KB

MD5
8164b604d55190629fd2fde17bafc468

SHA1
cdbd35fd6a8fc7434377ed0261e024db32a80470

SHA256
24c48ef7d7043c5f98f87105ea7934074eb17a915f6f5afebdb4076d61f83c49

SHA512
f0960ee63f0de6cb6f79528241e05c134e89de2fcb0ce109c4db1445b413b7f7a20f97d182e50d457af532d6f51d77ff4ea9373411f43bdbe9f01a0567f66158

Download Submit
memory/796-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/796-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/796-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/796-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/796-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/796-75-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/940-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/940-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/940-79-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/940-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2216-4-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/2216-3-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/2216-0-0x0000000000F10000-0x0000000000FF6000-memory.dmp

Filesize
920KB

Download
memory/2216-2-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/2216-1-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-26-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-5-0x0000000005410000-0x00000000054D0000-memory.dmp

Filesize
768KB

Download
memory/2216-6-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2460-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2460-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2460-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2524-48-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-38-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-40-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2524-39-0x0000000074470000-0x0000000074A1B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-41-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2604-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-80-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2604-85-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2604-84-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2604-83-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2604-86-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2604-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-95-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2604-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2604-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

description	pid	process	target process
PID 2216 wrote to memory of 2524	2216	Purchase Order Specifications 2024.exe	powershell.exe
PID 2216 wrote to memory of 2524	2216	Purchase Order Specifications 2024.exe	powershell.exe
PID 2216 wrote to memory of 2524	2216	Purchase Order Specifications 2024.exe	powershell.exe
PID 2216 wrote to memory of 2524	2216	Purchase Order Specifications 2024.exe	powershell.exe
PID 2216 wrote to memory of 2064	2216	Purchase Order Specifications 2024.exe	schtasks.exe
PID 2216 wrote to memory of 2064	2216	Purchase Order Specifications 2024.exe	schtasks.exe
PID 2216 wrote to memory of 2064	2216	Purchase Order Specifications 2024.exe	schtasks.exe
PID 2216 wrote to memory of 2064	2216	Purchase Order Specifications 2024.exe	schtasks.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2216 wrote to memory of 2604	2216	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 796	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 796	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 796	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 796	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 796	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 940	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 940	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 940	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 940	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 940	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 2460	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 2460	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 2460	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 2460	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe
PID 2604 wrote to memory of 2460	2604	Purchase Order Specifications 2024.exe	Purchase Order Specifications 2024.exe