Overview

overview

10

Static

static

3

408f6df514...5c.exe

windows7-x64

9

408f6df514...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

  • Size

    996KB

  • MD5

    0f590a7d7c99e395fa9aaa1159e00fb3

  • SHA1

    58322ce759d00892e146a499456492f19b03ede0

  • SHA256

    408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c

  • SHA512

    27c402a22a4cc414a53584a55a87e6d314c62f8958ee8ee690020aaa762c1aede794877cdc37806c9f1c3aa6d9dd5e675e10bc9efcf567987f86cf1ede4e1c59

  • SSDEEP

    24576:Ko5SLBTIjiK1MweZsLuI2/OFea6hPj42nqxvS:z5StsR1MwiOFGctxv

Score
10/10
remcosremotehostcollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

paygateme.net:2286

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WTDTSU

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 21 IoCs
  • Detects executables built or packed with MPress PE compressor 14 IoCs
  • Detects executables packed with SmartAssembly 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
    "C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmduzErmJdOHa.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmduzErmJdOHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3148
    • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
      "C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"
      2⤵
        PID:3580
      • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
        "C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"
        2⤵
          PID:1620
        • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
          "C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
            C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\hzzsanekhrlvbiyc"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4296
          • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
            C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\jtnkbfomvzdidomoaga"
            3⤵
              PID:4312
            • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
              C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\jtnkbfomvzdidomoaga"
              3⤵
                PID:4376
              • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
                C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\jtnkbfomvzdidomoaga"
                3⤵
                • Accesses Microsoft Outlook accounts
                PID:4308
              • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
                C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\uvsvtyzfjhvnnuisrqmvpg"
                3⤵
                  PID:2248
                • C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
                  C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\uvsvtyzfjhvnnuisrqmvpg"
                  3⤵
                  • Suspicious use of UnmapMainImage
                  PID:2960
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 12
                    4⤵
                    • Program crash
                    PID:4860
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2960 -ip 2960
              1⤵
                PID:4352

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\remcos\logs.dat
                Filesize

                144B

                MD5

                93da2049e4d110992b37848b69a1a93f

                SHA1

                3424899de529674d60d69eab7fb27d798df685b4

                SHA256

                f6e512291a487310b73d0f260f139df4f05a63ab29534d150e5edb6b1f202664

                SHA512

                46021fad1f3f46b9906c7be4c242a94685c797a4895e67cc15d161d8eeafdba95ea3b126b0a14bd5cc0427bd474bd839f31dadeaedafa36297e97908f4d563a3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0shwy5q.b0y.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\hzzsanekhrlvbiyc
                Filesize

                4KB

                MD5

                f941b9bd168d89f2e86359d2f26d9dfd

                SHA1

                5974ff71bf85a7a297bc8b0dc86351099d711b8f

                SHA256

                d0704de64af994f35974f05a3e5698e51ef2c7a31b766a86d810e210a4ceb839

                SHA512

                ffa54ce016718e0693b0d05b3271a970beb44ae1681213e59cc9c8c98dca7b3755f57d5bb8b3e554d597de8c2775c5bc11d9f31bf3c8ee50785a4d8dd62f3164

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp
                Filesize

                1KB

                MD5

                ff29b58dc4c0e72e4dae2ba191a01d3a

                SHA1

                629148c53d77e98c54d0d2dcf5025c02bd308c78

                SHA256

                015db16eac5d728c3c860d46da2b9b1e9dfa8440ba4ea0e0c2a4e0d7a9c02fa0

                SHA512

                adf0da02a70c7803fa2caeb0f649caf1986b6cdc85542eb350235d719237eb63238822bdf5b333256fd0f1af80a4641a21dc0bea8fb3cbf7c10956267babd9f1

                Download Submit

              • memory/744-113-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-118-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-79-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-82-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-75-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-74-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-45-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-143-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-134-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-127-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-110-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-42-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-126-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-111-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/744-22-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-49-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-24-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-117-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-104-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/744-108-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/744-44-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-107-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/744-39-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-80-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-26-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/744-109-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/2960-103-0x0000000000380000-0x0000000000380000-memory.dmp

                Download

              • memory/2960-91-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/3616-10-0x0000000006710000-0x00000000067D0000-memory.dmp

                Filesize

                768KB

                Download

              • memory/3616-4-0x0000000005990000-0x00000000059A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3616-6-0x0000000005A40000-0x0000000005ADC000-memory.dmp

                Filesize

                624KB

                Download

              • memory/3616-41-0x0000000074BD0000-0x0000000075380000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3616-2-0x0000000005C80000-0x0000000006224000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/3616-3-0x0000000005770000-0x0000000005802000-memory.dmp

                Filesize

                584KB

                Download

              • memory/3616-0-0x0000000000C20000-0x0000000000D1C000-memory.dmp

                Filesize

                1008KB

                Download

              • memory/3616-1-0x0000000074BD0000-0x0000000075380000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3616-5-0x0000000005720000-0x000000000572A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3616-7-0x0000000005740000-0x000000000575C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/3616-8-0x0000000005760000-0x0000000005768000-memory.dmp

                Filesize

                32KB

                Download

              • memory/3616-19-0x0000000074BD0000-0x0000000075380000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3616-9-0x0000000005120000-0x000000000512C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/4296-88-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/4296-84-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/4296-92-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/4296-100-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/4308-89-0x0000000000400000-0x0000000000462000-memory.dmp

                Filesize

                392KB

                Download

              • memory/4308-86-0x0000000000400000-0x0000000000462000-memory.dmp

                Filesize

                392KB

                Download

              • memory/4308-97-0x0000000000400000-0x0000000000462000-memory.dmp

                Filesize

                392KB

                Download

              • memory/4308-98-0x0000000000400000-0x0000000000462000-memory.dmp

                Filesize

                392KB

                Download

              • memory/5032-23-0x0000000005150000-0x0000000005172000-memory.dmp

                Filesize

                136KB

                Download

              • memory/5032-78-0x0000000074BD0000-0x0000000075380000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/5032-73-0x0000000007850000-0x0000000007858000-memory.dmp

                Filesize

                32KB

                Download

              • memory/5032-72-0x0000000007870000-0x000000000788A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/5032-71-0x0000000007770000-0x0000000007784000-memory.dmp

                Filesize

                80KB

                Download

              • memory/5032-70-0x0000000007760000-0x000000000776E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/5032-69-0x0000000007730000-0x0000000007741000-memory.dmp

                Filesize

                68KB

                Download

              • memory/5032-68-0x00000000077B0000-0x0000000007846000-memory.dmp

                Filesize

                600KB

                Download

              • memory/5032-67-0x00000000075A0000-0x00000000075AA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/5032-66-0x0000000007530000-0x000000000754A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/5032-65-0x0000000007B70000-0x00000000081EA000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/5032-64-0x00000000071E0000-0x0000000007283000-memory.dmp

                Filesize

                652KB

                Download

              • memory/5032-62-0x00000000028B0000-0x00000000028C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5032-63-0x00000000067A0000-0x00000000067BE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/5032-52-0x0000000072250000-0x000000007229C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/5032-51-0x00000000067E0000-0x0000000006812000-memory.dmp

                Filesize

                200KB

                Download

              • memory/5032-50-0x000000007F9D0000-0x000000007F9E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5032-47-0x0000000006250000-0x000000000629C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/5032-46-0x00000000060F0000-0x000000000610E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/5032-43-0x0000000005D30000-0x0000000006084000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/5032-32-0x0000000005B50000-0x0000000005BB6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/5032-33-0x0000000005CC0000-0x0000000005D26000-memory.dmp

                Filesize

                408KB

                Download

              • memory/5032-20-0x00000000052F0000-0x0000000005918000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/5032-21-0x00000000028B0000-0x00000000028C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5032-18-0x00000000028B0000-0x00000000028C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5032-15-0x0000000004C80000-0x0000000004CB6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/5032-16-0x0000000074BD0000-0x0000000075380000-memory.dmp

                Filesize

                7.7MB

                Download