remcos | 274086842325654e8c2e2f756629b4fc3532d2b54cbcea3ab207b23782fa56a7 | Triage

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 08:26

Sharing

Report Analysis Logs

General

Target

BLdraftedCopy200524.exe
Size

472KB
MD5

04b8fc8f6182aa25305b19c0917aa7d7
SHA1

fcf7d768cb6ba5067723b694984fd20b8e0a079a
SHA256

f08569862f95f332a676932f77eed6f4321c1e6bf3f24a6f3398dc6608ca8353
SHA512

0118012b0eb44b91037b8a31fb5fd3fc55042d9009756badf221d9c24943e294521688cc90c47285ecd11d165a8c6b6bf4bcf6675d0412e2c385346e8cc53811
SSDEEP

12288:vi3hR5SANo8/O2zaKBtD1sJG9GIzwmG5hvnHQ:K3hv5j/zbDmskwwm+dQ

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

64.188.27.90:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-COHIYL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/836-72-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/836-63-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2900-73-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2900-70-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2900-62-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2900-80-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4404-74-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2900-73-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4404-78-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4404-71-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2900-70-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2900-62-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/836-72-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/836-63-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2900-80-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Loads dropped DLL 3 IoCs

Processes:

BLdraftedCopy200524.exe

pid process

5048 BLdraftedCopy200524.exe
5048 BLdraftedCopy200524.exe
5048 BLdraftedCopy200524.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

Email Collection

Processes:

BLdraftedCopy200524.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	BLdraftedCopy200524.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

BLdraftedCopy200524.exe

pid process

1432 BLdraftedCopy200524.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

pid process

5048 BLdraftedCopy200524.exe
1432 BLdraftedCopy200524.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

description	pid	process	target process
PID 5048 set thread context of 1432	5048	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 set thread context of 2900	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 set thread context of 836	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 set thread context of 4404	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

pid	process
2900	BLdraftedCopy200524.exe
2900	BLdraftedCopy200524.exe
4404	BLdraftedCopy200524.exe
4404	BLdraftedCopy200524.exe
2900	BLdraftedCopy200524.exe
2900	BLdraftedCopy200524.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

pid process

5048 BLdraftedCopy200524.exe
1432 BLdraftedCopy200524.exe
1432 BLdraftedCopy200524.exe
1432 BLdraftedCopy200524.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BLdraftedCopy200524.exe

description pid process

Token: SeDebugPrivilege 4404 BLdraftedCopy200524.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

description	pid	process	target process
PID 5048 wrote to memory of 1432	5048	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 5048 wrote to memory of 1432	5048	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 5048 wrote to memory of 1432	5048	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 5048 wrote to memory of 1432	5048	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 5048 wrote to memory of 1432	5048	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 2900	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 2900	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 2900	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 836	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 836	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 836	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 4404	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 4404	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 1432 wrote to memory of 4404	1432	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\rdxaaakzeimeowul"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\bfdtatvtsqerzcqpksp"
3⤵
- Accesses Microsoft Outlook accounts
PID:836

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe /stext "C:\Users\Admin\AppData\Local\Temp\mzqdblfvgyowbiebbdbvaiv"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx80AA.tmp\BgImage.dll
Filesize
7KB

MD5
9436196007f65f0ae96f64b1c8b2572e

SHA1
4b004b5c2865c9450876be83faa8cc96e1d12c01

SHA256
286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9

SHA512
5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx80AA.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx80AA.tmp\nsDialogs.dll
Filesize
9KB

MD5
82c3f38cd34739872af07443c65d0bd8

SHA1
1f4ee2d394404a291eda6419f856adaf4b960237

SHA256
59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311

SHA512
3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdxaaakzeimeowul
Filesize
4KB

MD5
365f45018b7bcc98591979d6c4b23752

SHA1
073aff125450845105f5daa7d0e7cc24ee8bbca5

SHA256
27be905cdbf87c23851d00d61afd5fcfe5c72b1de227ac7d8c0dc5c7583c9a6e

SHA512
4bd0d2266c624b9ad40e9ba6cb4d63debd12f46f5c27afae3bfc20e3e7f5e9f9c88f83151166324223c5889034a4d70652cf747f6943af011191c64c28e18703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
Filesize
938B

MD5
c5ec4795b57d751ecd916b6389accf0a

SHA1
33bbd2dcc6657fa259f01722cb69252e1c5f2723

SHA256
ca7bec08c85c00ba25a5fb1bd75fd99d744af6916ffd6267731dbe9f525132e6

SHA512
5a72b32261facb786168a173b362a6649f8311fdb22c040943c91c26d5618cdf593479284e945f7ab020edee6d699c11aefc9f185b5633f7ab4ded82f0d3eabb

Download Submit
memory/836-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/836-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/836-72-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/836-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1432-55-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-92-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-100-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-98-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-97-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-96-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-95-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-94-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-93-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-53-0x0000000076EB1000-0x0000000076FD1000-memory.dmp

Filesize
1.1MB

Download
memory/1432-49-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-48-0x0000000076F55000-0x0000000076F56000-memory.dmp

Filesize
4KB

Download
memory/1432-47-0x0000000076F38000-0x0000000076F39000-memory.dmp

Filesize
4KB

Download
memory/1432-91-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-90-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-89-0x0000000076EB1000-0x0000000076FD1000-memory.dmp

Filesize
1.1MB

Download
memory/1432-88-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/1432-87-0x0000000036EE0000-0x0000000036EF9000-memory.dmp

Filesize
100KB

Download
memory/1432-86-0x0000000036EE0000-0x0000000036EF9000-memory.dmp

Filesize
100KB

Download
memory/1432-83-0x0000000036EE0000-0x0000000036EF9000-memory.dmp

Filesize
100KB

Download
memory/2900-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2900-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2900-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2900-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2900-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2900-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4404-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4404-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4404-71-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4404-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4404-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5048-45-0x0000000076EB1000-0x0000000076FD1000-memory.dmp

Filesize
1.1MB

Download
memory/5048-46-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download