Overview

overview

10

Static

static

3

da86da7fc0...92.exe

windows7-x64

10

da86da7fc0...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

  • Size

    895KB

  • MD5

    dd172773aa5ec3bc31080bc31fce8a44

  • SHA1

    5522deb7d315339e0d2b0dd2becb6d501e0dff2b

  • SHA256

    da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92

  • SHA512

    37bd970e680cd5e380d5f6044272e37782bd18f0c165af25f8c59b31b9fd29636cd43c2b9cde6bcd154dae0ee33866f3f783bab23aec8472e5db958a0ddaa588

  • SSDEEP

    24576:UHrWUxQNBIndBEQ/13KSAvkSZ/UosqmTbIecoe:qrWUxQPOgrB8osqq8Zo

Score
10/10
remcosremotehostcollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

paygateme.net:2286

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WTDTSU

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 23 IoCs
  • Detects executables built or packed with MPress PE compressor 16 IoCs
  • Detects executables packed with SmartAssembly 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
    "C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kdkZYZHUWsaYyc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:440
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kdkZYZHUWsaYyc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp730D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2608
    • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
      "C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"
      2⤵
        PID:1784
      • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
        "C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"
        2⤵
          PID:2576
        • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
          "C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
            C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\omeabjmetcnmkxbqwxyqzgkolzqn"
            3⤵
              PID:888
            • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
              C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\omeabjmetcnmkxbqwxyqzgkolzqn"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4648
            • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
              C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\ygjsucwypkfzmdpuohlkklfxughwgoy"
              3⤵
                PID:436
              • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
                C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\ygjsucwypkfzmdpuohlkklfxughwgoy"
                3⤵
                  PID:3404
                • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
                  C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\ygjsucwypkfzmdpuohlkklfxughwgoy"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  PID:2612
                • C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
                  C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\aiod"
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1356

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\remcos\logs.dat
              Filesize

              144B

              MD5

              19cab12a0c91b8a0d81e12ca6b0e650c

              SHA1

              f21578a7ec2c40632ddcb604a6158e902717d36b

              SHA256

              c142653d33decec08c21b72475bfb61a7af694f0faa3962b784cae232c08214a

              SHA512

              b5f73beab961bd7e442da739b0a3115351d80a5fb8cf77e1ccdeb8307dee6cbf6bfec506794bf5fb74483fe166c52f39cc64dd1bb45d8152e881cc076b441df8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rfueuxhn.xme.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\omeabjmetcnmkxbqwxyqzgkolzqn
              Filesize

              4KB

              MD5

              1be00116b3b4ab27e31b6c0193cca4b3

              SHA1

              9cd8b21573014b9255004a65a497fd3c7e31faec

              SHA256

              08293be277a95b17991cb7d2b1000a04777b5000a13950da9274e176c7b17f7a

              SHA512

              869cb03b8f04d4f06170ddaa74c12f90998548a2b712bed0bc3ce9a2bdfbc3d7b5eba26bbf64d87777d753a09d076b41263d30cf43b56200c3aa3b779aeb3e3a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp730D.tmp
              Filesize

              1KB

              MD5

              946293db09c1429c5b44babb71c21d23

              SHA1

              d307cb2c282f00ca7b069d3fc1f2d84be41a2fcb

              SHA256

              1932221855ff047df58ddeea8e28b02c273c28d090ad712de3c8591fba8e0f52

              SHA512

              e6e40b5d41153b65ca122b06967c1d1c6b0388f837f75c25770d3c231fd3c4c6007306d6b56c7cd0b2caa0beedce986688a08619c21e205d406ad4970fcd76d8

              Download Submit

            • memory/440-65-0x0000000007040000-0x000000000704A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/440-64-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/440-74-0x00000000749D0000-0x0000000075180000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/440-71-0x00000000072E0000-0x00000000072E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/440-70-0x0000000007300000-0x000000000731A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/440-45-0x0000000005790000-0x0000000005AE4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/440-14-0x0000000002310000-0x0000000002346000-memory.dmp

              Filesize

              216KB

              Download

            • memory/440-66-0x0000000007240000-0x00000000072D6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/440-16-0x00000000749D0000-0x0000000075180000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/440-18-0x00000000022B0000-0x00000000022C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/440-67-0x00000000071C0000-0x00000000071D1000-memory.dmp

              Filesize

              68KB

              Download

            • memory/440-19-0x00000000022B0000-0x00000000022C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/440-63-0x0000000007610000-0x0000000007C8A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/440-60-0x00000000061D0000-0x00000000061EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/440-68-0x00000000071F0000-0x00000000071FE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/440-17-0x0000000004E00000-0x0000000005428000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/440-61-0x00000000022B0000-0x00000000022C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/440-62-0x0000000006C30000-0x0000000006CD3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/440-32-0x0000000005530000-0x0000000005596000-memory.dmp

              Filesize

              408KB

              Download

            • memory/440-50-0x0000000070DD0000-0x0000000070E1C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/440-42-0x0000000005720000-0x0000000005786000-memory.dmp

              Filesize

              408KB

              Download

            • memory/440-48-0x000000007FC70000-0x000000007FC80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/440-49-0x0000000006BF0000-0x0000000006C22000-memory.dmp

              Filesize

              200KB

              Download

            • memory/440-25-0x0000000004C60000-0x0000000004C82000-memory.dmp

              Filesize

              136KB

              Download

            • memory/440-47-0x0000000005C60000-0x0000000005CAC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/440-69-0x0000000007200000-0x0000000007214000-memory.dmp

              Filesize

              80KB

              Download

            • memory/440-46-0x0000000005C20000-0x0000000005C3E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1356-99-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1356-102-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1356-88-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1356-96-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1444-3-0x00000000057A0000-0x0000000005832000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1444-8-0x00000000082D0000-0x0000000008390000-memory.dmp

              Filesize

              768KB

              Download

            • memory/1444-24-0x00000000749D0000-0x0000000075180000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1444-6-0x0000000005C50000-0x0000000005C60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1444-1-0x00000000749D0000-0x0000000075180000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1444-0-0x0000000000CD0000-0x0000000000DB6000-memory.dmp

              Filesize

              920KB

              Download

            • memory/1444-4-0x00000000059B0000-0x00000000059C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1444-7-0x0000000006910000-0x000000000691C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1444-5-0x0000000005960000-0x000000000596A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1444-9-0x000000000AA70000-0x000000000AB0C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/1444-2-0x0000000005C60000-0x0000000006204000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2612-101-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2612-86-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2612-92-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2612-98-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2968-31-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-115-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-80-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-141-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-78-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-140-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-75-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-133-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-76-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-109-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2968-132-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-43-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-27-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-100-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-29-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-20-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-30-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-106-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2968-110-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2968-23-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-112-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2968-111-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-77-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-116-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-21-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-123-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2968-124-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

              Download

            • memory/4648-104-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/4648-90-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/4648-85-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/4648-83-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download