remcos | 13a780d9b9243d3fea7a8f28655b9c3cc752e39fa7ade991ef73e4f89e7b6c26

General

Target

873fb22d93c231e49477c051c6438c28.exe
Size

1.3MB
MD5

873fb22d93c231e49477c051c6438c28
SHA1

ff18a1f60a255d63bd2a6f7e927bf7341bb1bb02
SHA256

13a780d9b9243d3fea7a8f28655b9c3cc752e39fa7ade991ef73e4f89e7b6c26
SHA512

9955adf3bd77ec8e79e2171a0e7f8e6ba98e4f910641a8ee56f278d66832cd00312c1c765fffbf8956fca46604a31f6942f8b51eabcc3146b4fd5a2217f943f7
SSDEEP

24576:kaXk+nGvZEePw/+xKgVV3PgirOpaGL5i9AO/JV8m0R:r/GjZBFP1Gk/8b

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

64.188.22.11:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-10FYXY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3120-34-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/3120-32-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/3120-42-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3036-31-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3036-33-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3036-51-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3036-31-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3120-34-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3036-33-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3120-32-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3956-43-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3120-42-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3036-51-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

873fb22d93c231e49477c051c6438c28.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	873fb22d93c231e49477c051c6438c28.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

873fb22d93c231e49477c051c6438c28.exe873fb22d93c231e49477c051c6438c28.exe

description	pid	process	target process
PID 3312 set thread context of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 set thread context of 3036	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 set thread context of 3120	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 set thread context of 3956	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

873fb22d93c231e49477c051c6438c28.exe873fb22d93c231e49477c051c6438c28.exe

pid	process
3036	873fb22d93c231e49477c051c6438c28.exe
3036	873fb22d93c231e49477c051c6438c28.exe
3956	873fb22d93c231e49477c051c6438c28.exe
3956	873fb22d93c231e49477c051c6438c28.exe
3036	873fb22d93c231e49477c051c6438c28.exe
3036	873fb22d93c231e49477c051c6438c28.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

873fb22d93c231e49477c051c6438c28.exe

pid	process
4220	873fb22d93c231e49477c051c6438c28.exe
4220	873fb22d93c231e49477c051c6438c28.exe
4220	873fb22d93c231e49477c051c6438c28.exe
4220	873fb22d93c231e49477c051c6438c28.exe
4220	873fb22d93c231e49477c051c6438c28.exe
4220	873fb22d93c231e49477c051c6438c28.exe
4220	873fb22d93c231e49477c051c6438c28.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

873fb22d93c231e49477c051c6438c28.exe

description pid process

Token: SeDebugPrivilege 3956 873fb22d93c231e49477c051c6438c28.exe

description	pid	process
Token: SeDebugPrivilege	3956	873fb22d93c231e49477c051c6438c28.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

873fb22d93c231e49477c051c6438c28.exe873fb22d93c231e49477c051c6438c28.exe

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
"C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3312

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
"C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe /stext "C:\Users\Admin\AppData\Local\Temp\bityzyvpadnqvnnqrszizctcmnzqq"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe /stext "C:\Users\Admin\AppData\Local\Temp\lcyrarfjwlfvgtbuacmjcgntntjzrwor"
3⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe /stext "C:\Users\Admin\AppData\Local\Temp\lcyrarfjwlfvgtbuacmjcgntntjzrwor"
3⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe /stext "C:\Users\Admin\AppData\Local\Temp\lcyrarfjwlfvgtbuacmjcgntntjzrwor"
3⤵
- Accesses Microsoft Outlook accounts
PID:3120

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe /stext "C:\Users\Admin\AppData\Local\Temp\owlk"
3⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe /stext "C:\Users\Admin\AppData\Local\Temp\owlk"
3⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe
C:\Users\Admin\AppData\Local\Temp\873fb22d93c231e49477c051c6438c28.exe /stext "C:\Users\Admin\AppData\Local\Temp\owlk"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bityzyvpadnqvnnqrszizctcmnzqq
Filesize
4KB

MD5
10fa8ec140c204486092fb161e567ec7

SHA1
4d63e1f8df3afefedb19df73d7ee5f3b1e7b6473

SHA256
7176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04

SHA512
9db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76

Download Submit
memory/3036-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3036-31-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3036-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3036-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3036-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3120-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3120-30-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3120-27-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3120-34-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3120-42-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3312-18-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3312-2-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/3312-3-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/3312-11-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3312-1-0x00000000009F0000-0x0000000000B38000-memory.dmp

Filesize
1.3MB

Download
memory/3312-10-0x0000000008940000-0x0000000008A26000-memory.dmp

Filesize
920KB

Download
memory/3312-7-0x00000000059A0000-0x00000000059B8000-memory.dmp

Filesize
96KB

Download
memory/3312-8-0x00000000059C0000-0x00000000059CE000-memory.dmp

Filesize
56KB

Download
memory/3312-0-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3312-12-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/3312-6-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/3312-5-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/3312-9-0x0000000006270000-0x0000000006284000-memory.dmp

Filesize
80KB

Download
memory/3312-4-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/3956-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3956-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3956-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4220-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-53-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4220-56-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4220-57-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4220-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4220-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

description	pid	process	target process
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 3312 wrote to memory of 4220	3312	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3036	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3036	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3036	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3036	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3456	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3456	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3456	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3924	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3924	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3924	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3120	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3120	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3120	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3120	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 4648	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 4648	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 4648	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 5048	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 5048	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 5048	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3956	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3956	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3956	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe
PID 4220 wrote to memory of 3956	4220	873fb22d93c231e49477c051c6438c28.exe	873fb22d93c231e49477c051c6438c28.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads