remcos | 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
Size

1.4MB
MD5

51d30ef65642af490373320582d1e2dd
SHA1

ae3a785010169746e5ad96886dfb1647e8b43365
SHA256

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85
SHA512

44c54ca10fa06a624a92805a24044591f4ddcb97a2602ec70e6ad999722be5a56c34ca891131460e4b04ef360a8c05fd1dd2c2e9a1484b5a495ab8ce1fd2594c
SSDEEP

24576:NqDEvCTbMWu7rQYlBQcBiT6rprG8aL4+LMGlGPPuqzSOa1WzJSH7A:NTvC/MTQYxsWR7aL7oOD1W0

Score

10^/10

remcos remotehost collection rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TLPQMO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2928-59-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2928-67-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1988-86-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1988-90-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2484-54-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2484-70-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1888-81-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1888-97-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2484-54-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2928-59-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2928-67-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2484-70-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2212-72-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1988-86-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1888-81-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1988-90-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1232-91-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1232-92-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1888-97-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

brawlis.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brawlis.vbs brawlis.exe
Executes dropped EXE 1 IoCs

Processes:

brawlis.exe

pid process

3052 brawlis.exe
Loads dropped DLL 1 IoCs

Processes:

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe

pid process

2344 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brawlis.vbs	brawlis.exe

pid	process
3052	brawlis.exe

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\reindulgence\brawlis.exe	autoit_exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

brawlis.exesvchost.exe

description	pid	process	target process
PID 3052 set thread context of 2668	3052	brawlis.exe	svchost.exe
PID 2668 set thread context of 2484	2668	svchost.exe	svchost.exe
PID 2668 set thread context of 2928	2668	svchost.exe	svchost.exe
PID 2668 set thread context of 2212	2668	svchost.exe	svchost.exe
PID 2668 set thread context of 1888	2668	svchost.exe	svchost.exe
PID 2668 set thread context of 1988	2668	svchost.exe	svchost.exe
PID 2668 set thread context of 1232	2668	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

svchost.exesvchost.exe

pid process

2484 svchost.exe
1888 svchost.exe
1888 svchost.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

brawlis.exesvchost.exe

pid process

3052 brawlis.exe
2668 svchost.exe
2668 svchost.exe
2668 svchost.exe
2668 svchost.exe
2668 svchost.exe
2668 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2212 svchost.exe
Token: SeDebugPrivilege 1232 svchost.exe

pid	process
2484	svchost.exe
1888	svchost.exe
1888	svchost.exe

pid	process
3052	brawlis.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2212	svchost.exe
Token: SeDebugPrivilege	1232	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exebrawlis.exe

pid	process
2344	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
2344	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
3052	brawlis.exe
3052	brawlis.exe
3052	brawlis.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exebrawlis.exe

pid	process
2344	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
2344	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
3052	brawlis.exe
3052	brawlis.exe
3052	brawlis.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2668 svchost.exe

pid	process
2668	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exebrawlis.exesvchost.exe

description	pid	process	target process
PID 2344 wrote to memory of 3052	2344	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe	brawlis.exe
PID 2344 wrote to memory of 3052	2344	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe	brawlis.exe
PID 2344 wrote to memory of 3052	2344	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe	brawlis.exe
PID 2344 wrote to memory of 3052	2344	45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe	brawlis.exe
PID 3052 wrote to memory of 2668	3052	brawlis.exe	svchost.exe
PID 3052 wrote to memory of 2668	3052	brawlis.exe	svchost.exe
PID 3052 wrote to memory of 2668	3052	brawlis.exe	svchost.exe
PID 3052 wrote to memory of 2668	3052	brawlis.exe	svchost.exe
PID 3052 wrote to memory of 2668	3052	brawlis.exe	svchost.exe
PID 2668 wrote to memory of 2484	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2484	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2484	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2484	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2484	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2928	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2928	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2928	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2928	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2928	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2212	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2212	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2212	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2212	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 2212	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1888	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1888	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1888	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1888	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1888	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1988	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1988	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1988	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1988	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1988	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1232	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1232	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1232	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1232	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 1232	2668	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\cjkou"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\fephvqaz"
4⤵
- Accesses Microsoft Outlook accounts
PID:2928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\pgcrwilbjiqm"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\upwbtiiglmmkgnxsfmjnxqliszokcvxbue"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\wjjuusb"
4⤵
- Accesses Microsoft Outlook accounts
PID:1988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\hlonmkmbnc"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c592a92aadd638ef1f60bbf64033b9b0

SHA1
8cf8e812a87fc6919631958ed4a76af056662e71

SHA256
b658523ee13db368c7fc9c2d882d2d86462e467615d8c97ee4e7be05b14163a9

SHA512
e35fcde9a68fbaa9c98cd49ebe560bafc17de2c549d240ba0c2d3e3fbe19a83f149bf22299284af0cd934001d197b09c7eb6661e4606131c4a6ec90f3e535ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\orographically

Filesize
482KB

MD5
17db3ee54b8207f5415603d856255c9d

SHA1
a480c3d3f948e61b258b18732b99732f62fe93e5

SHA256
e138b8344f3c0b7d400d452da5662e5625365f71ca955034f8b6ddf05b4a3c37

SHA512
7a4fc990c68c73f9729e2b56d337a8888094bad6766ad9c9f0cc3faaa89fa289189660bed466adca97039431f9d4ff179227b9f8e1dce2ea6b42b1ea09d50cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\upwbtiiglmmkgnxsfmjnxqliszokcvxbue

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\vitraillist

Filesize
29KB

MD5
7e652071f4c1e8a16bbcc9fe126774f0

SHA1
e6eed67590573d8427f648e2952e88005fba1efd

SHA256
132f9d86d77df4cc036a745abc0a419412a35b9977005bb0a19258d8a629bbf2

SHA512
469fd55d6f2ffe4f2d2117db33e68f879878013958677d72f27eeaf953611e504bfb8ff89a44558308c10f3f2e204157f5cb50fb78c94b674e410bf84c741ddb

Download Submit
\Users\Admin\AppData\Local\reindulgence\brawlis.exe

Filesize
107.4MB

MD5
80556551d9c9fc13ac001feaccc2c13e

SHA1
886d9f47100268115f76067448aa30447ac40f2c

SHA256
5d8cbe08388199798a5f213e250099765db589c744e984705c33d42dee79a72a

SHA512
4a1d446b5adbd29f9b2fb778794ce35de33528480cb0baba14a7d43b1308bba98a422babe08ab59243db1ea19e86078917fc7519767c6f94da259425f808a737

Download Submit
memory/1232-92-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1232-91-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1232-89-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1888-77-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1888-97-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1888-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1988-85-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1988-90-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1988-86-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2212-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2212-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2212-72-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2212-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2344-10-0x00000000000F0000-0x00000000000F4000-memory.dmp

Filesize
16KB

Download
memory/2484-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2484-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2484-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2484-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2668-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-100-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2668-131-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2668-103-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2668-104-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2668-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-128-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-67-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2928-51-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2928-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2928-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download