Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 13:21
General
-
Target
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe
-
Size
1.3MB
-
MD5
a55159c7edc073d452e4fef92d247997
-
SHA1
d239b25b2a33a64134f11d2d2ac5c7a89e186a29
-
SHA256
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d
-
SHA512
5189f51ce0f90a71e86e53ea23d564d796536c45db8c8f4a11e75947bb4fc0d2489c83899e4a8e8b81504007ccad7a05dc8ac02b0d47a52ea565396a27c5e8b3
-
SSDEEP
24576:AP+g7Wy3xfMZKdcKtTjbJ4jEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbIEEEEEEEEEEEEEEEEEEEE+
Malware Config
Extracted
remcos
FmGlobal
royaldachpharmacy.duckdns.org:6395
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
services.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GRT17F
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Nirsoft 8 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe"C:\Users\Admin\AppData\Local\Temp\61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d.exe C:\\Users\\Public\\Libraries\\Eoosrcxm.PIF2⤵
-
C:\ProgramData\Remcos\services.exe"C:\ProgramData\Remcos\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Remcos\services.exeC:\ProgramData\Remcos\services.exe /stext "C:\Users\Admin\AppData\Local\Temp\vwheepligjftp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Remcos\services.exeC:\ProgramData\Remcos\services.exe /stext "C:\Users\Admin\AppData\Local\Temp\xynwfivcurxyzlar"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\ProgramData\Remcos\services.exeC:\ProgramData\Remcos\services.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsspgageizplbzxdyow"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD518c11471be9a13928ab28361c0097f8d
SHA1514bdc27acb7f1536ed0a15d6116a273da4bc36b
SHA256f1ee777dcbc352b3c65fdcd075c3e016730e7bffd11f5b18e0b0121647b33ab0
SHA512a028e7d2eb893652a1c8a37dcca6502040576c73f549d8580932722690fa7abb4616d2f680f7326245a48832bb1de01365835ed50edccdc1dcfcaefca2ddf89e
-
Filesize
1.3MB
MD5a55159c7edc073d452e4fef92d247997
SHA1d239b25b2a33a64134f11d2d2ac5c7a89e186a29
SHA25661fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d
SHA5125189f51ce0f90a71e86e53ea23d564d796536c45db8c8f4a11e75947bb4fc0d2489c83899e4a8e8b81504007ccad7a05dc8ac02b0d47a52ea565396a27c5e8b3
-
Filesize
4KB
MD58651f1ecc401fe73c45d06863467d144
SHA10150ba4649afe382ae1705552473bba7beb990f4
SHA25651827e101e890667e6d9b8aa7b804d56b53cadc110b5b8b834229788c29a65e8
SHA512c0b371d9080c0e82adae100a9400bb7bd239cfe243c072dde0f9310524b92d16a10db9117403d8af227cef9def552dba7c04da3b3bd46a88836acc071cb9890f
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
804KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
4KB
-
Filesize
1.4MB