remcos | 554b40336bad24df88cbde544cdf20d553d02ce7fee5dab9a82318d7c21471e0

General

Target

RFQ SY103 first order 2024.scr
Size

966KB
MD5

9beaec299e48eb0072fd6e270d8e8cd3
SHA1

a719b69d48a210af3749bccd27b4ad5185c35d8d
SHA256

554b40336bad24df88cbde544cdf20d553d02ce7fee5dab9a82318d7c21471e0
SHA512

d0742bee412db3abdb8ddee99ceaf45721f6c72c2b9044838d755b6e8a51377831177eb087f709efee31dc36871e2e274338734731e3d89519bebfb1e74c0733
SSDEEP

24576:dtHKWYHu2k6ei445zcNjNGbr3SN2jcjR11O7Akmla:7KWYHu2kf745zCa3SN2jcjRuUkK

Score

10^/10

remcos buddy collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

BUDDY

C2

192.210.201.57:52499

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LMLI87
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1172-35-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1172-40-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3452-33-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3452-45-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3452-33-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1172-35-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1172-40-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4472-41-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4472-43-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3452-45-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RFQ SY103 first order 2024.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RFQ SY103 first order 2024.scr

Suspicious use of SetThreadContext 4 IoCs

Processes:

RFQ SY103 first order 2024.scrRFQ SY103 first order 2024.scr

description	pid	process	target process
PID 4768 set thread context of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 set thread context of 3452	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 set thread context of 1172	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 set thread context of 4472	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

RFQ SY103 first order 2024.scrRFQ SY103 first order 2024.scrRFQ SY103 first order 2024.scr

pid	process
4768	RFQ SY103 first order 2024.scr
4768	RFQ SY103 first order 2024.scr
3452	RFQ SY103 first order 2024.scr
3452	RFQ SY103 first order 2024.scr
4472	RFQ SY103 first order 2024.scr
4472	RFQ SY103 first order 2024.scr
3452	RFQ SY103 first order 2024.scr
3452	RFQ SY103 first order 2024.scr

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

RFQ SY103 first order 2024.scr

pid process

3436 RFQ SY103 first order 2024.scr
3436 RFQ SY103 first order 2024.scr
3436 RFQ SY103 first order 2024.scr
3436 RFQ SY103 first order 2024.scr
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ SY103 first order 2024.scrRFQ SY103 first order 2024.scr

description pid process

Token: SeDebugPrivilege 4768 RFQ SY103 first order 2024.scr
Token: SeDebugPrivilege 4472 RFQ SY103 first order 2024.scr
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RFQ SY103 first order 2024.scr

pid process

3436 RFQ SY103 first order 2024.scr

pid	process
3436	RFQ SY103 first order 2024.scr
3436	RFQ SY103 first order 2024.scr
3436	RFQ SY103 first order 2024.scr
3436	RFQ SY103 first order 2024.scr

description	pid	process
Token: SeDebugPrivilege	4768	RFQ SY103 first order 2024.scr
Token: SeDebugPrivilege	4472	RFQ SY103 first order 2024.scr

pid	process
3436	RFQ SY103 first order 2024.scr

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

RFQ SY103 first order 2024.scrRFQ SY103 first order 2024.scr

C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr"
2⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /stext "C:\Users\Admin\AppData\Local\Temp\tzsryxdgdwmydyiuy"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3452

C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /stext "C:\Users\Admin\AppData\Local\Temp\dtxkzpozreelgmeyhfuqu"
3⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /stext "C:\Users\Admin\AppData\Local\Temp\dtxkzpozreelgmeyhfuqu"
3⤵
- Accesses Microsoft Outlook accounts
PID:1172

C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ SY103 first order 2024.scr" /stext "C:\Users\Admin\AppData\Local\Temp\nwldzizbfnwqqsskqqorfryw"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
66fcaf078be4c0d6872f8606dc60eb43

SHA1
37fd73ab391b03b22c4ea5c3e7e842256c489018

SHA256
bd3f2e617fd8534343b06fb2a9e9724b6eaf17a1a8569095549ab13c1442473e

SHA512
d3c463fd266a07193957acc32935601d118587c4b015c209c19bd5a74ab170d3c7a346817584524536d36e7bc9d6e6089172fd8627f5f597a5b246d69e511935

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzsryxdgdwmydyiuy
Filesize
4KB

MD5
fc8ceff5210efa58594c67ed8f49a824

SHA1
dba98c98becbdf81f623cdca6cd0a993022fe6cd

SHA256
778b7d5b90428961459c82e9881fe0fece78424d6301eb0720a96f100511f599

SHA512
c3b24fe5f5ba39174528ffc05544da6f22ac6aef2cac923ad139c0d044989873e004f9f5018cc0cc6847b5878f5aee96d6de823c860ac54a0fc67ff8d2d89cd1

Download Submit
memory/1172-28-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1172-40-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1172-35-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1172-32-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3436-50-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-52-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-54-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-51-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-47-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3452-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3452-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3452-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3452-29-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4472-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4472-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4472-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4472-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4768-5-0x0000000005940000-0x000000000594A000-memory.dmp

Filesize
40KB

Download
memory/4768-3-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4768-4-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/4768-1-0x0000000000E50000-0x0000000000F46000-memory.dmp

Filesize
984KB

Download
memory/4768-0-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/4768-7-0x0000000005BB0000-0x0000000005BBC000-memory.dmp

Filesize
48KB

Download
memory/4768-42-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/4768-6-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

Filesize
64KB

Download
memory/4768-2-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/4768-9-0x0000000009780000-0x000000000981C000-memory.dmp

Filesize
624KB

Download
memory/4768-8-0x00000000070E0000-0x00000000071A0000-memory.dmp

Filesize
768KB

Download

description	pid	process	target process
PID 4768 wrote to memory of 2620	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 2620	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 2620	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 4768 wrote to memory of 3436	4768	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 3452	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 3452	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 3452	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 3452	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 5024	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 5024	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 5024	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 1172	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 1172	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 1172	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 1172	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 4472	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 4472	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 4472	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr
PID 3436 wrote to memory of 4472	3436	RFQ SY103 first order 2024.scr	RFQ SY103 first order 2024.scr

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads