remcos | 8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe
Size

2.4MB
MD5

6e409c732339d8d71f87666d591f9856
SHA1

d9c0a478f02642fbbbc1c3739f765a754e7fad78
SHA256

8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433
SHA512

7a16b1e81379a2ad666b6c4ef5ebf610c5d63a6eecdb7452ac98e83da50cca5cbd4395fb41a0dec7f94fb92f16da2d32de45d8eb11585aaa3739c155a5e5971d
SSDEEP

49152:zlVv/kvowwe0hJzJiwK+zM5awNMaL2TQG9ivR6jfu4Wv+eys1n0qdT0luyKYA:L/g0hJzHzXvTQGfjfu5Ty006xy

Score

10^/10

remcos zgrat spacolombia persistence rat

Malware Config

Extracted

Family

remcos

Botnet

spacolombia

areaseguras.con-ip.com:2701

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
loggsd
keylog_path
%AppData%
mouse_option
false
mutex
Rmc12145501-WMWIXV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2008-2-0x0000000004C90000-0x0000000004EEE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-3-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-6-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-8-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-4-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-10-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-12-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-14-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-18-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-20-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-22-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-24-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-26-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-28-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-32-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-30-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-34-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-36-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-38-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-40-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-42-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-44-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-46-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-54-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-60-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-16-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-66-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-64-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-62-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-58-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-56-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-52-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-50-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1
behavioral1/memory/2008-48-0x0000000004C90000-0x0000000004EE7000-memory.dmp	family_zgrat_v1

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mlweinwtcc = "C:\\Users\\Admin\\AppData\\Roaming\\Mlweinwtcc.exe"	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1512	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe
Token: SeDebugPrivilege	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1512	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28
PID 2008 wrote to memory of 1512	2008	8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe	28

C:\Users\Admin\AppData\Local\Temp\8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe
"C:\Users\Admin\AppData\Local\Temp\8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe
  "C:\Users\Admin\AppData\Local\Temp\8ff4e6a59790f11138b89b4f5a946c00d6259f17b0bb88b2b808f8b0676e3433.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\loggsd\logs.dat

Filesize
184B

MD5
84a8de26e5d9d3ff44bc79f5d64a7eb5

SHA1
bdd43588d7dfe50adb66436143c0a1dfa43acb23

SHA256
2c678897f32f30860794e5131914c6788cf86c90c1cf985f553cf76d73471f9e

SHA512
9730782d77ed2ed569e2a3c1786326fc0cff60a65405d81f21827833757ae837eb79f2dca0af5984ce241795c3ec5de5bb54994520c016b6ccb5d0998c2e4f95

Download Submit
C:\Users\Admin\AppData\Roaming\loggsd\logs.dat

Filesize
270B

MD5
131e146d8cabcf16a2e392a0a4fc5ca6

SHA1
5166fea833a9960452f7cf8dd42dc1792617a1a5

SHA256
c61072282dee5ab80c8cd29e7c3aae5f8a5f5ea66cd42991bd917911192a9761

SHA512
f7acecaa2df992bc297ec544c1b84a3748d712743f6221929abac8c66c4fa364006836ba6ddd5b2473d295bbc4d433173c3382347c8e1f89e30879e567db17ba

Download Submit
memory/1512-4904-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1512-4934-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2008-42-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-20-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-60-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-10-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-12-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-14-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-18-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-54-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-22-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-24-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-26-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-28-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-46-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-30-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-34-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-36-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-38-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-40-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2008-44-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-32-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-8-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-4-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-16-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-66-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-64-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-62-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-58-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-56-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-52-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-50-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-48-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-4883-0x0000000000BE0000-0x0000000000C7A000-memory.dmp

Filesize
616KB

Download
memory/2008-4884-0x0000000004480000-0x00000000044CC000-memory.dmp

Filesize
304KB

Download
memory/2008-4885-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-4886-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-4887-0x00000000044D0000-0x0000000004524000-memory.dmp

Filesize
336KB

Download
memory/2008-6-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-4910-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-3-0x0000000004C90000-0x0000000004EE7000-memory.dmp

Filesize
2.3MB

Download
memory/2008-2-0x0000000004C90000-0x0000000004EEE000-memory.dmp

Filesize
2.4MB

Download
memory/2008-1-0x0000000000E10000-0x0000000001072000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads