remcos | 274086842325654e8c2e2f756629b4fc3532d2b54cbcea3ab207b23782fa56a7 | Triage

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 08:26

Sharing

Report Analysis Logs

General

Target

BLdraftedCopy200524.exe
Size

472KB
MD5

04b8fc8f6182aa25305b19c0917aa7d7
SHA1

fcf7d768cb6ba5067723b694984fd20b8e0a079a
SHA256

f08569862f95f332a676932f77eed6f4321c1e6bf3f24a6f3398dc6608ca8353
SHA512

0118012b0eb44b91037b8a31fb5fd3fc55042d9009756badf221d9c24943e294521688cc90c47285ecd11d165a8c6b6bf4bcf6675d0412e2c385346e8cc53811
SSDEEP

12288:vi3hR5SANo8/O2zaKBtD1sJG9GIzwmG5hvnHQ:K3hv5j/zbDmskwwm+dQ

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

64.188.27.90:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-COHIYL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2952-72-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2952-88-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2924-67-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2924-61-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2924-79-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2996-66-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2996-70-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2924-67-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2924-61-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2996-73-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2952-72-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2924-79-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2952-88-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Loads dropped DLL 3 IoCs

Processes:

BLdraftedCopy200524.exe

pid process

2552 BLdraftedCopy200524.exe
2552 BLdraftedCopy200524.exe
2552 BLdraftedCopy200524.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

Email Collection

Processes:

BLdraftedCopy200524.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	BLdraftedCopy200524.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

BLdraftedCopy200524.exe

pid process

2864 BLdraftedCopy200524.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

pid process

2552 BLdraftedCopy200524.exe
2864 BLdraftedCopy200524.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

description	pid	process	target process
PID 2552 set thread context of 2864	2552	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 set thread context of 2924	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 set thread context of 2952	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 set thread context of 2996	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BLdraftedCopy200524.exe

pid process

2924 BLdraftedCopy200524.exe
2924 BLdraftedCopy200524.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

pid process

2552 BLdraftedCopy200524.exe
2864 BLdraftedCopy200524.exe
2864 BLdraftedCopy200524.exe
2864 BLdraftedCopy200524.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BLdraftedCopy200524.exe

description pid process

Token: SeDebugPrivilege 2996 BLdraftedCopy200524.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

description	pid	process	target process
PID 2552 wrote to memory of 2864	2552	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2552 wrote to memory of 2864	2552	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2552 wrote to memory of 2864	2552	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2552 wrote to memory of 2864	2552	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2552 wrote to memory of 2864	2552	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2552 wrote to memory of 2864	2552	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2924	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2924	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2924	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2924	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2952	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2952	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2952	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2952	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2996	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2996	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2996	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2864 wrote to memory of 2996	2864	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\apfsivigjwfeixqarx"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjlcjnshxfxrslnejhsgo"
3⤵
- Accesses Microsoft Outlook accounts
PID:2952

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\ndyvkgdblnpvvrbissmzzqjfe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\apfsivigjwfeixqarx
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
Filesize
922B

MD5
082597d04652fb48cf5cd634e44750a3

SHA1
e8496ac7314800233a67e099741a65f25471a283

SHA256
91746ebea171bc277445841c213f19c0de4baae3e7af50b1a5132ac7ec562cac

SHA512
a3b745a894c41b32d5993b93ef3a954253d4ffa54dcee54a4f3f0d261eb89407fdf868aad6b10db3fcdc3d4ce00def7713b1aabcdb9f5662918ff3c4d49859a7

Download Submit
\Users\Admin\AppData\Local\Temp\nso3709.tmp\BgImage.dll
Filesize
7KB

MD5
9436196007f65f0ae96f64b1c8b2572e

SHA1
4b004b5c2865c9450876be83faa8cc96e1d12c01

SHA256
286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9

SHA512
5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

Download Submit
\Users\Admin\AppData\Local\Temp\nso3709.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
\Users\Admin\AppData\Local\Temp\nso3709.tmp\nsDialogs.dll
Filesize
9KB

MD5
82c3f38cd34739872af07443c65d0bd8

SHA1
1f4ee2d394404a291eda6419f856adaf4b960237

SHA256
59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311

SHA512
3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

Download Submit
memory/2552-48-0x0000000077131000-0x0000000077232000-memory.dmp

Filesize
1.0MB

Download
memory/2552-49-0x0000000077130000-0x00000000772D9000-memory.dmp

Filesize
1.7MB

Download
memory/2864-95-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-91-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-96-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-51-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-100-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-50-0x0000000077130000-0x00000000772D9000-memory.dmp

Filesize
1.7MB

Download
memory/2864-94-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-93-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-92-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-53-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-90-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-86-0x0000000035C00000-0x0000000035C19000-memory.dmp

Filesize
100KB

Download
memory/2864-87-0x0000000035C00000-0x0000000035C19000-memory.dmp

Filesize
100KB

Download
memory/2864-99-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-98-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-97-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-83-0x0000000035C00000-0x0000000035C19000-memory.dmp

Filesize
100KB

Download
memory/2864-82-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2924-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-79-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-68-0x0000000077130000-0x00000000772D9000-memory.dmp

Filesize
1.7MB

Download
memory/2952-72-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2952-88-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2952-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2952-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2952-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2952-71-0x0000000077130000-0x00000000772D9000-memory.dmp

Filesize
1.7MB

Download
memory/2996-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2996-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2996-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2996-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2996-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download