remcos | 234887d5171b1fc8f3c4c4ac9ed54679adeadf5e8b488f791f90c8c3dca8d2f9

General

Target

de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
Size

233KB
MD5

c8b5bcc79120a06f16b69bcef71324ac
SHA1

75acf6d77851efc30a181ad9a78334b7c272705a
SHA256

de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252
SHA512

e8e842e78ae6ae6a395a3c30f2ae043fc33762d0ac13df6ad333dbf1c28345ca79c7c5af5f9a33e134c13db9368a4b65a3a229c3189608b05e02402632bd5a7c
SSDEEP

6144:tmvl3n8iOiB4RBucKa3h80tK2gBWvADGGw6j1:8vlX8i8RB5JvADGGnj

Score

10^/10

remcos richard6474646 collection rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Botnet

richard6474646

C2

money001.duckdns.org:9596

salwanazeeze.duckdns.org:9595

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
windows.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UMF99C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/5016-11-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/5016-20-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/924-10-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/924-26-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral2/memory/5016-11-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/924-10-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4436-19-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5016-20-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4436-22-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/924-26-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2608-0-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-35-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-38-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-42-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-45-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-48-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-57-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-59-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-63-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-71-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/2608-75-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 924	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	95
PID 2608 set thread context of 5016	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	96
PID 2608 set thread context of 4436	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	97

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
924	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
924	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
4436	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
4436	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
924	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
924	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 924	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	95
PID 2608 wrote to memory of 924	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	95
PID 2608 wrote to memory of 924	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	95
PID 2608 wrote to memory of 5016	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	96
PID 2608 wrote to memory of 5016	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	96
PID 2608 wrote to memory of 5016	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	96
PID 2608 wrote to memory of 4436	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	97
PID 2608 wrote to memory of 4436	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	97
PID 2608 wrote to memory of 4436	2608	de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe	97

C:\Users\Admin\AppData\Local\Temp\de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
"C:\Users\Admin\AppData\Local\Temp\de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
  C:\Users\Admin\AppData\Local\Temp\de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe /stext "C:\Users\Admin\AppData\Local\Temp\hyjmqtuzohizgeolplthptwyekiqjkdaft"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:924
- C:\Users\Admin\AppData\Local\Temp\de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
  C:\Users\Admin\AppData\Local\Temp\de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe /stext "C:\Users\Admin\AppData\Local\Temp\stowql"
  2⤵
  - Accesses Microsoft Outlook accounts
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe
  C:\Users\Admin\AppData\Local\Temp\de4f901137b60be1b2c0155595baa77837d7325736cc1d4910536cd32cf58252.exe /stext "C:\Users\Admin\AppData\Local\Temp\uvcprepuy"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
23d866173392691de589ae8ba44f597c

SHA1
a4f235e0282cf1e0e5081243cdcd45494c53ee1b

SHA256
3b06d28dc3d2abd22f60df99c15f4442bd19de1933bb9509e4d8418c27639085

SHA512
effa2b8782e1d791a86df85cf813c4075b8ab839e6b7f03c9ca6ce9230b654f016783a2fa973f8cf2562df1213d34770819e204412f38fb740ad21d5a73013bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyjmqtuzohizgeolplthptwyekiqjkdaft

Filesize
4KB

MD5
6566db55a623d93ea0838e3d13cf99d2

SHA1
c39fe9aef3ea6483ea4210e2989da84ddfb403e2

SHA256
6c73d4e220894399c0a8b9e901e9e1183f86658e05e59118112418b53805f995

SHA512
bd2cb72fbc109d2e60a82f1df0425c17fabbc9235eff698393dc22ad34fdc71a2abd8137994904ca28316d49f8d77f49142464d11f07e5fd7d46a7208e279a27

Download Submit
memory/924-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/924-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/924-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/924-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2608-42-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-45-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-75-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-71-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-63-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-59-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-57-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-48-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-40-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2608-28-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2608-31-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2608-32-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2608-33-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2608-35-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-38-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4436-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-21-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/4436-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5016-3-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5016-7-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5016-11-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5016-20-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing