remcos | 560b3bba2f6d3e74b1901904c7ea9e7c61f94c754e648cb6503abaa233d7c485

Analysis

max time kernel
148s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
Size

349KB
MD5

c5568321b40f1d51afac49234d2de480
SHA1

c5169e1d05419bb698b86704ae8f3cbe7011d42e
SHA256

560b3bba2f6d3e74b1901904c7ea9e7c61f94c754e648cb6503abaa233d7c485
SHA512

f15d0141a89e1a6d89b030d10f2e7e60efbf5d2b21a905335f6ba79de8908796bfd4df928f398e984e06a86d3023cde783690843871f222432677dd5a848674e
SSDEEP

6144:wQ606xhLK0o+/zqdPCb3m2aOmjpygIb20PM+Drhvnv/6:wK0bqdM2EVbv3hvnH6

Score

10^/10

remcos client collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

CLIENT

107.150.18.202:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-J3QQTH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1012-77-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1012-75-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1012-76-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/964-67-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/964-74-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/964-86-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/964-67-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1012-77-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2848-82-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2848-83-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2848-81-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1012-75-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/964-74-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1012-76-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/964-86-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Loads dropped DLL 3 IoCs

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

pid	process
2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Jansenize = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hydrometeorological\\Fedayeen.exe"	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

pid process

1632 c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exec5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

pid process

2996 c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
1632 c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

pid	process
1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exec5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

description	pid	process	target process
PID 2996 set thread context of 1632	2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 set thread context of 964	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 set thread context of 1012	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 set thread context of 2848	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exec5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

pid	process
964	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
964	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
2848	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
2848	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
964	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
964	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exec5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

pid	process
2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2848 c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2848	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exec5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

description	pid	process	target process
PID 2996 wrote to memory of 1632	2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 2996 wrote to memory of 1632	2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 2996 wrote to memory of 1632	2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 2996 wrote to memory of 1632	2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 2996 wrote to memory of 1632	2996	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 964	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 964	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 964	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 1012	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 1012	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 1012	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 2848	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 2848	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
PID 1632 wrote to memory of 2848	1632	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe	c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe /stext "C:\Users\Admin\AppData\Local\Temp\guopcalzgv"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe /stext "C:\Users\Admin\AppData\Local\Temp\iotzdtvbudbpu"
3⤵
- Accesses Microsoft Outlook accounts
PID:1012

C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe /stext "C:\Users\Admin\AppData\Local\Temp\sqzsdlguiltcwnxt"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\guopcalzgv
Filesize
4KB

MD5
73ddf6cd83c2ad8a2fbb2383e322ffbc

SHA1
05270f8bb7b5cc6ab9a61ae7453d047379089147

SHA256
0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409

SHA512
714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5E4D.tmp\BgImage.dll
Filesize
7KB

MD5
9436196007f65f0ae96f64b1c8b2572e

SHA1
4b004b5c2865c9450876be83faa8cc96e1d12c01

SHA256
286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9

SHA512
5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5E4D.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5E4D.tmp\nsDialogs.dll
Filesize
9KB

MD5
82c3f38cd34739872af07443c65d0bd8

SHA1
1f4ee2d394404a291eda6419f856adaf4b960237

SHA256
59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311

SHA512
3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
Filesize
910B

MD5
326c97e1c8c3663e11fbef2b37dee359

SHA1
3de28e6e6776a2bb236104be1176200e773feb5f

SHA256
9a21ed03552d1c04535b8889dbcd1bf8f8ecc753be41ba183881060dfd143346

SHA512
ed0ff2515ef034e0020eca45c0a0129513a30e662a1afa03e730c6ee2a9f87265751f8e6f958ecbb9b87f428ff0ac7ccb2f398b26cd4a90b1dfa09ca4336b220

Download Submit
memory/964-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/964-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/964-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/964-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/964-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1012-76-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1012-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1012-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1012-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1012-75-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1632-56-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-48-0x0000000077741000-0x0000000077861000-memory.dmp

Filesize
1.1MB

Download
memory/1632-98-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-97-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-96-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-95-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-63-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-62-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-73-0x0000000077741000-0x0000000077861000-memory.dmp

Filesize
1.1MB

Download
memory/1632-60-0x0000000077741000-0x0000000077861000-memory.dmp

Filesize
1.1MB

Download
memory/1632-50-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-94-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1632-47-0x00000000777C8000-0x00000000777C9000-memory.dmp

Filesize
4KB

Download
memory/1632-92-0x0000000037490000-0x00000000374A9000-memory.dmp

Filesize
100KB

Download
memory/1632-89-0x0000000037490000-0x00000000374A9000-memory.dmp

Filesize
100KB

Download
memory/1632-93-0x0000000037490000-0x00000000374A9000-memory.dmp

Filesize
100KB

Download
memory/2848-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2848-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2848-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2848-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2848-80-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2996-46-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2996-45-0x0000000077741000-0x0000000077861000-memory.dmp

Filesize
1.1MB

Download