remcos | fea2216981e8976a502c79405747b623b22f0492d0ea779eae026249f64ca908

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase_order_PO1989404.cmd
Size

4.5MB
MD5

4f9b4171ee4728182a576b52c934da7d
SHA1

d58845c88d55aac067b919a5b4bde79d228cf5b6
SHA256

bd4ac830b43dc0f7f7ed19e1cb9b51783bfe36dfd8e58cc93a2e139fcce2c1e8
SHA512

7782a15c610d419935960f8f73243c9016441476f666c99bb71de4234f9006aa94bdc643ecda6f274187a8f41953796ea089abc20a001c771776d9b4d2355f0a
SSDEEP

24576:ajN3QGmU4n/+6JVT+avOgeF/ehZ2gCrxBJGhRCAQ:iFQGmdn/+GdRvOX9gCqQ

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

taker202.ddns.net:3017

taker202.duckdns.org:5033

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
xmnw-AAJ144
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4048-66-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/4048-58-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/4048-56-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2216-60-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2216-73-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/2216-60-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4048-66-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2676-64-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4048-58-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4048-56-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2676-71-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2216-73-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Executes dropped EXE 11 IoCs

pid	Process
4892	alpha.exe
1696	alpha.exe
3308	kn.exe
2476	alpha.exe
5004	kn.exe
4788	sppsvc.pif
2880	alpha.exe
532	alpha.exe
2216	sppsvc.pif
4048	sppsvc.pif
2676	sppsvc.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	sppsvc.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xhqgbabp = "C:\\Users\\Public\\Xhqgbabp.url"	sppsvc.pif

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4788 set thread context of 2216	4788	sppsvc.pif	104
PID 4788 set thread context of 4048	4788	sppsvc.pif	105
PID 4788 set thread context of 2676	4788	sppsvc.pif	106

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2216	sppsvc.pif
2216	sppsvc.pif
2676	sppsvc.pif
2676	sppsvc.pif
2216	sppsvc.pif
2216	sppsvc.pif

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4788	sppsvc.pif
4788	sppsvc.pif
4788	sppsvc.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	sppsvc.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4788	sppsvc.pif

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1688	1040	cmd.exe	83
PID 1040 wrote to memory of 1688	1040	cmd.exe	83
PID 1040 wrote to memory of 4892	1040	cmd.exe	84
PID 1040 wrote to memory of 4892	1040	cmd.exe	84
PID 4892 wrote to memory of 936	4892	alpha.exe	85
PID 4892 wrote to memory of 936	4892	alpha.exe	85
PID 1040 wrote to memory of 1696	1040	cmd.exe	86
PID 1040 wrote to memory of 1696	1040	cmd.exe	86
PID 1696 wrote to memory of 3308	1696	alpha.exe	87
PID 1696 wrote to memory of 3308	1696	alpha.exe	87
PID 1040 wrote to memory of 2476	1040	cmd.exe	89
PID 1040 wrote to memory of 2476	1040	cmd.exe	89
PID 2476 wrote to memory of 5004	2476	alpha.exe	90
PID 2476 wrote to memory of 5004	2476	alpha.exe	90
PID 1040 wrote to memory of 4788	1040	cmd.exe	93
PID 1040 wrote to memory of 4788	1040	cmd.exe	93
PID 1040 wrote to memory of 4788	1040	cmd.exe	93
PID 1040 wrote to memory of 2880	1040	cmd.exe	94
PID 1040 wrote to memory of 2880	1040	cmd.exe	94
PID 1040 wrote to memory of 532	1040	cmd.exe	95
PID 1040 wrote to memory of 532	1040	cmd.exe	95
PID 4788 wrote to memory of 1500	4788	sppsvc.pif	100
PID 4788 wrote to memory of 1500	4788	sppsvc.pif	100
PID 4788 wrote to memory of 1500	4788	sppsvc.pif	100
PID 4788 wrote to memory of 2216	4788	sppsvc.pif	104
PID 4788 wrote to memory of 2216	4788	sppsvc.pif	104
PID 4788 wrote to memory of 2216	4788	sppsvc.pif	104
PID 4788 wrote to memory of 4048	4788	sppsvc.pif	105
PID 4788 wrote to memory of 4048	4788	sppsvc.pif	105
PID 4788 wrote to memory of 4048	4788	sppsvc.pif	105
PID 4788 wrote to memory of 2676	4788	sppsvc.pif	106
PID 4788 wrote to memory of 2676	4788	sppsvc.pif	106
PID 4788 wrote to memory of 2676	4788	sppsvc.pif	106

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
  2⤵
  PID:1688
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\extrac32.exe
    extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:936
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
    3⤵
    - Executes dropped EXE
    PID:3308
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
    3⤵
    - Executes dropped EXE
    PID:5004
- C:\Users\Public\Libraries\sppsvc.pif
  C:\Users\Public\Libraries\sppsvc.pif
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Xhqgbabp.PIF
    3⤵
    PID:1500
- - C:\Users\Public\Libraries\sppsvc.pif
    C:\Users\Public\Libraries\sppsvc.pif /stext "C:\Users\Admin\AppData\Local\Temp\qrpv"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2216
- - C:\Users\Public\Libraries\sppsvc.pif
    C:\Users\Public\Libraries\sppsvc.pif /stext "C:\Users\Admin\AppData\Local\Temp\btvopuxm"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:4048
- - C:\Users\Public\Libraries\sppsvc.pif
    C:\Users\Public\Libraries\sppsvc.pif /stext "C:\Users\Admin\AppData\Local\Temp\dnayqniocnf"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
9df8e941e0f6a1aed8a3bb99a97179dc

SHA1
a487e7e65765cc4dad0e5d507c12381f7aead6f8

SHA256
094e579daafbd1340b5c3591acfb0d4b133ceb1e63d3b9d7ed80953ef6233a19

SHA512
65ce7376c048f2e36482cf3cfd4a8508b9e72032bbb8062aeeb587eb5678fa3723965d439e5c7aa06d82b0bf21366dc70fc21e662e10ccfe1bf312e0379996cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrpv

Filesize
4KB

MD5
788d7419b32411807cc6753cbbccecbe

SHA1
761b99a1e5bc168f525181d78cff3f6ed82daa14

SHA256
76150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b

SHA512
3003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4

Download Submit
C:\Users\Public\Libraries\sppsvc.pif

Filesize
1.6MB

MD5
c26c2acac8badfe751f8614f4ff978a0

SHA1
e7bddc0bf4cd8b3fe801bb3fc4d75a0bddf52dda

SHA256
190278e5db1ab39792859b7d7cbb4dfcf544bd4d6d52404bfc616b81e4e76196

SHA512
6ea022497945444c85434895f21629d5620729d587cfe04dc74d4b62487468a0deffedfd791978582292f00b85e0622a81fdff9a7204de3a185a3d3f765389cb

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\sppsvc.rtf

Filesize
3.2MB

MD5
739d994938a47a060d86879b231f8e0a

SHA1
2f519f991592f576e5cabf599aebbd2ee8e76059

SHA256
a2c31a1b37d6ffb30d2767cd3fc8779e23f7e834da6e3846aeaefa8dacc20b99

SHA512
ada3f148c979fd8bbf87a14d524f9238aee70607c4a51ad7b75144cc86ec84514c091d2696d884adce59be804bce3535631f638455b5313c2a8fccb9b39a4e8c

Download Submit
memory/2216-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2676-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2676-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2676-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2676-71-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4048-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4048-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4048-50-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4048-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4048-61-0x0000000000470000-0x0000000000539000-memory.dmp

Filesize
804KB

Download
memory/4048-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4788-41-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-79-0x0000000046630000-0x0000000046649000-memory.dmp

Filesize
100KB

Download
memory/4788-44-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-43-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-42-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-40-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-39-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-38-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-37-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-34-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-75-0x0000000046630000-0x0000000046649000-memory.dmp

Filesize
100KB

Download
memory/4788-46-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-78-0x0000000046630000-0x0000000046649000-memory.dmp

Filesize
100KB

Download
memory/4788-80-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-28-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/4788-88-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-87-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-98-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-99-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-109-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-110-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-122-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download
memory/4788-121-0x0000000027A10000-0x0000000028A10000-memory.dmp

Filesize
16.0MB

Download