remcos | 190278e5db1ab39792859b7d7cbb4dfcf544bd4d6d52404bfc616b81e4e76196

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe
Size

1.6MB
MD5

c26c2acac8badfe751f8614f4ff978a0
SHA1

e7bddc0bf4cd8b3fe801bb3fc4d75a0bddf52dda
SHA256

190278e5db1ab39792859b7d7cbb4dfcf544bd4d6d52404bfc616b81e4e76196
SHA512

6ea022497945444c85434895f21629d5620729d587cfe04dc74d4b62487468a0deffedfd791978582292f00b85e0622a81fdff9a7204de3a185a3d3f765389cb
SSDEEP

49152:JTyfaerlkRH/7CG+xJZAOALfrSUv15gmm7kqQILp5ibWkg:JNewOALfrSUv15gmm7kqQILp5

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

taker202.ddns.net:3017

taker202.duckdns.org:5033

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
xmnw-AAJ144
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xhqgbabp = "C:\\Users\\Public\\Xhqgbabp.url"	c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe

pid process

4280 c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe

pid	process
4280	c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe

description	pid	process	target process
PID 4280 wrote to memory of 3564	4280	c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe	extrac32.exe
PID 4280 wrote to memory of 3564	4280	c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe	extrac32.exe
PID 4280 wrote to memory of 3564	4280	c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe	extrac32.exe

C:\Users\Admin\AppData\Local\Temp\c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\c26c2acac8badfe751f8614f4ff978a0_NeikiAnalytics.exe C:\\Users\\Public\\Libraries\\Xhqgbabp.PIF
  2⤵
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
6afdb3916c0cd66c48b9870f717959ae

SHA1
49e0aa704a6fff2a0649768f2f022874980b728e

SHA256
b2e8d222d228bc979e9b29971f55582e1db345f29242e2e1778799812d0d801d

SHA512
f4d4d94e7041ae72829527a63fcfe39be74a1ce4c1848141683afc54db0985e2bfe6495dd70284e9a07db4952e73fbfc366d59ed45b08c98c5ec42cd3992780d

Download Submit
memory/4280-39-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-84-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-10-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-43-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-12-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-13-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-14-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-16-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-17-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-21-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-22-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-23-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-25-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4280-27-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-28-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-31-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-33-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-45-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-35-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-6-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-38-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-0-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4280-11-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/4280-9-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-34-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-47-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-49-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-50-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-54-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-55-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-56-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-58-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-60-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-63-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-67-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-70-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-72-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-74-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-75-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-76-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-78-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-80-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-83-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-44-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download
memory/4280-87-0x0000000027C50000-0x0000000028C50000-memory.dmp

Filesize
16.0MB

Download