remcos | aa29ab3beabcfd1b574182cbcb4d53330ed432fe371a39c38ef59a7b681361d9

General

Target

PO#4600055745.scr
Size

1000KB
MD5

4cb03ed07925c43468569974c41b9325
SHA1

523e9b075323ae50036bf19b7f2e9615f97100d4
SHA256

aa29ab3beabcfd1b574182cbcb4d53330ed432fe371a39c38ef59a7b681361d9
SHA512

547fde8610379ee2e7ebeca76a711b5adb6c696abb9deaace5e4ea225e40d37fa437bb563dbd9bc81a2053676d2fb2ae43e4270d695f5d9d0a7d8ebee23f9ba3
SSDEEP

24576:0o5K55ee/YuX1Gx7MH7V9mu/0ilqWe7LpjCSAv:V5qauX1s7Mh4u/0ilq7LXAv

Score

10^/10

remcos buddy collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

BUDDY

C2

192.210.201.57:52499

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LMLI87
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/456-36-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/456-43-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1940-35-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1940-47-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1940-35-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/456-36-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1328-44-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/456-43-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1328-45-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1940-47-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

PO#4600055745.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	PO#4600055745.scr

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO#4600055745.scrPO#4600055745.scr

description	pid	process	target process
PID 4344 set thread context of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4564 set thread context of 1940	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 set thread context of 456	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 set thread context of 1328	4564	PO#4600055745.scr	PO#4600055745.scr

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PO#4600055745.scrPO#4600055745.scrPO#4600055745.scr

pid	process
4344	PO#4600055745.scr
4344	PO#4600055745.scr
4344	PO#4600055745.scr
4344	PO#4600055745.scr
1940	PO#4600055745.scr
1940	PO#4600055745.scr
1328	PO#4600055745.scr
1328	PO#4600055745.scr
1940	PO#4600055745.scr
1940	PO#4600055745.scr

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

PO#4600055745.scr

pid process

4564 PO#4600055745.scr
4564 PO#4600055745.scr
4564 PO#4600055745.scr
4564 PO#4600055745.scr
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO#4600055745.scrPO#4600055745.scr

description pid process

Token: SeDebugPrivilege 4344 PO#4600055745.scr
Token: SeDebugPrivilege 1328 PO#4600055745.scr
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO#4600055745.scr

pid process

4564 PO#4600055745.scr

pid	process
4564	PO#4600055745.scr
4564	PO#4600055745.scr
4564	PO#4600055745.scr
4564	PO#4600055745.scr

description	pid	process
Token: SeDebugPrivilege	4344	PO#4600055745.scr
Token: SeDebugPrivilege	1328	PO#4600055745.scr

pid	process
4564	PO#4600055745.scr

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

PO#4600055745.scrPO#4600055745.scr

description	pid	process	target process
PID 4344 wrote to memory of 448	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 448	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 448	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 3648	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 3648	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 3648	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4344 wrote to memory of 4564	4344	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 1940	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 1940	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 1940	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 1940	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 456	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 456	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 456	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 456	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 3964	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 3964	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 3964	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 1328	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 1328	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 1328	4564	PO#4600055745.scr	PO#4600055745.scr
PID 4564 wrote to memory of 1328	4564	PO#4600055745.scr	PO#4600055745.scr

C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr
"C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr
"C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr"
2⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr
"C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr"
2⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr
"C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr
C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr /stext "C:\Users\Admin\AppData\Local\Temp\phgjxkgvwsfsnrfzrzfyl"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr
C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr /stext "C:\Users\Admin\AppData\Local\Temp\abtbycrxkaxwqgbdjkrrwwpt"
3⤵
- Accesses Microsoft Outlook accounts
PID:456

C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr
C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr /stext "C:\Users\Admin\AppData\Local\Temp\kvzuyvbqgipjamqhsumtzbccfrh"
3⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr
C:\Users\Admin\AppData\Local\Temp\PO#4600055745.scr /stext "C:\Users\Admin\AppData\Local\Temp\kvzuyvbqgipjamqhsumtzbccfrh"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
a09a59dc8c1ed59668481fc7b94903fb

SHA1
532fcf759aa857d3dd496ba2ec9723db8cd00a80

SHA256
e7d5ac98174e9f3f5bee3ff6d6377de194ff4ede99625ca9b80da1d5e2d478a4

SHA512
bed375db1bbcfa61a0273416ed0d3a321d36f4590269ad9d3b4ea6430dbd203d13cc449e394ebbbb3e68622f79c399f1ef4a27a29c0add463f1e3d0709004593

Download Submit
C:\Users\Admin\AppData\Local\Temp\phgjxkgvwsfsnrfzrzfyl
Filesize
4KB

MD5
ec0cf9ff722f9a9259c3338972c40886

SHA1
31bad5285affb58c5ebe0569bbdb9bd1deab245c

SHA256
30190665467845aed54732c31c7e385368c10acb595cffdd7ca9523fff051a19

SHA512
bdfaf9576db431d3c4d14e0ea5deafce661fceda6d5123a6f4b84d50a576dd1ccf4202091dc0b55bed665dd45b4e30d2a797bda6015b06f5771064f9bab32d1a

Download Submit
memory/456-29-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/456-33-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/456-36-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/456-43-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1328-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-32-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1940-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1940-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1940-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-6-0x0000000005B00000-0x0000000005B9C000-memory.dmp

Filesize
624KB

Download
memory/4344-15-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4344-1-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4344-10-0x000000000BD10000-0x000000000BDD0000-memory.dmp

Filesize
768KB

Download
memory/4344-9-0x00000000017D0000-0x00000000017DC000-memory.dmp

Filesize
48KB

Download
memory/4344-8-0x00000000058F0000-0x00000000058F8000-memory.dmp

Filesize
32KB

Download
memory/4344-7-0x0000000005830000-0x000000000584C000-memory.dmp

Filesize
112KB

Download
memory/4344-5-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/4344-4-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/4344-3-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/4344-2-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/4344-0-0x0000000000D20000-0x0000000000E1C000-memory.dmp

Filesize
1008KB

Download
memory/4564-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-54-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4564-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-49-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4564-53-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4564-52-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4564-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-64-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4564-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4564-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads