remcos | 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85

General

Target

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
Size

1.4MB
MD5

51d30ef65642af490373320582d1e2dd
SHA1

ae3a785010169746e5ad96886dfb1647e8b43365
SHA256

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85
SHA512

44c54ca10fa06a624a92805a24044591f4ddcb97a2602ec70e6ad999722be5a56c34ca891131460e4b04ef360a8c05fd1dd2c2e9a1484b5a495ab8ce1fd2594c
SSDEEP

24576:NqDEvCTbMWu7rQYlBQcBiT6rprG8aL4+LMGlGPPuqzSOa1WzJSH7A:NTvC/MTQYxsWR7aL7oOD1W0

Score

10^/10

remcos remotehost collection rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TLPQMO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2488-60-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2488-63-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2488-76-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2096-61-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2096-73-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2488-60-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2096-61-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2488-63-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1916-67-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1916-68-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2096-73-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2488-76-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

brawlis.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brawlis.vbs brawlis.exe
Executes dropped EXE 1 IoCs

Processes:

brawlis.exe

pid process

2760 brawlis.exe
Loads dropped DLL 1 IoCs

Processes:

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe

pid process

2988 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brawlis.vbs	brawlis.exe

pid	process
2760	brawlis.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\reindulgence\brawlis.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

brawlis.exesvchost.exe

description	pid	process	target process
PID 2760 set thread context of 2548	2760	brawlis.exe	svchost.exe
PID 2548 set thread context of 2096	2548	svchost.exe	svchost.exe
PID 2548 set thread context of 2488	2548	svchost.exe	svchost.exe
PID 2548 set thread context of 1916	2548	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

2096 svchost.exe
2096 svchost.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

brawlis.exesvchost.exe

pid process

2760 brawlis.exe
2548 svchost.exe
2548 svchost.exe
2548 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1916 svchost.exe

pid	process
2096	svchost.exe
2096	svchost.exe

pid	process
2760	brawlis.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1916	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exebrawlis.exe

pid	process
2988	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
2988	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
2760	brawlis.exe
2760	brawlis.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exebrawlis.exe

pid	process
2988	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
2988	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
2760	brawlis.exe
2760	brawlis.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2548 svchost.exe

pid	process
2548	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exebrawlis.exesvchost.exe

description	pid	process	target process
PID 2988 wrote to memory of 2760	2988	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe	brawlis.exe
PID 2988 wrote to memory of 2760	2988	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe	brawlis.exe
PID 2988 wrote to memory of 2760	2988	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe	brawlis.exe
PID 2988 wrote to memory of 2760	2988	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe	brawlis.exe
PID 2760 wrote to memory of 2548	2760	brawlis.exe	svchost.exe
PID 2760 wrote to memory of 2548	2760	brawlis.exe	svchost.exe
PID 2760 wrote to memory of 2548	2760	brawlis.exe	svchost.exe
PID 2760 wrote to memory of 2548	2760	brawlis.exe	svchost.exe
PID 2760 wrote to memory of 2548	2760	brawlis.exe	svchost.exe
PID 2548 wrote to memory of 2096	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2096	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2096	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2096	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2096	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2488	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2488	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2488	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2488	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 2488	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 1916	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 1916	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 1916	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 1916	2548	svchost.exe	svchost.exe
PID 2548 wrote to memory of 1916	2548	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vnjqtcrpyhamqqbyiymszocxezsqbqbosr"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\yhoitv"
4⤵
- Accesses Microsoft Outlook accounts
PID:2488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ijutunvkz"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
138a0a484367cbfe5638ab2861bc61bf

SHA1
84c3b5015d2c392d0a46cdbe35b9717b4c0e26d3

SHA256
754f5cb74546df7e3aca4f7a9023cdc4d831bf44493b7dde9e6417076c233ef5

SHA512
3ec845d82c9bde2685d12f06c4472137ce0d58fe430c660ad461290ab88c206325f74572daee155f3754da0193ebeaaf12bcfb67f9260485cbbc3a362123476c

Download Submit
C:\Users\Admin\AppData\Local\Temp\orographically
Filesize
482KB

MD5
17db3ee54b8207f5415603d856255c9d

SHA1
a480c3d3f948e61b258b18732b99732f62fe93e5

SHA256
e138b8344f3c0b7d400d452da5662e5625365f71ca955034f8b6ddf05b4a3c37

SHA512
7a4fc990c68c73f9729e2b56d337a8888094bad6766ad9c9f0cc3faaa89fa289189660bed466adca97039431f9d4ff179227b9f8e1dce2ea6b42b1ea09d50cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vitraillist
Filesize
29KB

MD5
7e652071f4c1e8a16bbcc9fe126774f0

SHA1
e6eed67590573d8427f648e2952e88005fba1efd

SHA256
132f9d86d77df4cc036a745abc0a419412a35b9977005bb0a19258d8a629bbf2

SHA512
469fd55d6f2ffe4f2d2117db33e68f879878013958677d72f27eeaf953611e504bfb8ff89a44558308c10f3f2e204157f5cb50fb78c94b674e410bf84c741ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnjqtcrpyhamqqbyiymszocxezsqbqbosr
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\reindulgence\brawlis.exe
Filesize
107.4MB

MD5
4bd1e9aa4eba7ad93aed314fb7737dab

SHA1
320e34d1030a4faaf91833a6595fd334ce8dc318

SHA256
98f529e5a73f29a93813731c24a9180227be92265e01a41c633a3468990432b4

SHA512
05a616a7c549c9979121783a8773c04058c358b9d6ecb3b122823398acdfe5a4ab8e0caa868071ac9fe11b4133425b00194fb390c94e5082f2891d7dfa4241f5

Download Submit
memory/1916-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1916-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1916-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1916-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1916-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2096-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2096-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2096-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2096-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2096-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2488-76-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2488-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2488-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2488-53-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2488-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-81-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2548-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-77-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2548-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-82-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2548-80-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2548-83-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2548-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-90-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2548-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2548-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2988-10-0x00000000000B0000-0x00000000000B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads