remcos | 6c293ea8f03820bb8aa0a32d819fe52f278a11edba5d8ca640da6dcec3aadb71

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 21:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
Size

8.4MB
MD5

7012be602b08edfbf8ba9bbb0a78b590
SHA1

3fb04fe68adc3a466d915a5ada209c4cb9baa09b
SHA256

6c293ea8f03820bb8aa0a32d819fe52f278a11edba5d8ca640da6dcec3aadb71
SHA512

3c47cceba6759001afcbbf569c05c0c429296cc8bb460e68950bf46b32ceb261fd3b4846445e94e8106a95e27dd7966f9a6356489eec6f38313a72b2c55c02ac
SSDEEP

98304:5XbEhsqluBejQWFdSJ1y334JjlC5EsR9NjzdCH7W4U6IHTzIU2WDFTy0+lI:lWd9aJjlC5EsR9NHdCH7LU6SwlI

Score

10^/10

remcos rembin collection persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemBin

maxlogs.webhop.me:1645

newnex.3utilities.com:5187

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remc.exe
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remc
mouse_option
false
mutex
Rmc-6UOSGH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4076-59-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2264-58-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/2292-62-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4076-59-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2264-58-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4904	svchost.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4904 set thread context of 2940	4904	svchost.exe	98
PID 2940 set thread context of 2264	2940	svchost.exe	103
PID 2940 set thread context of 4076	2940	svchost.exe	104
PID 2940 set thread context of 2292	2940	svchost.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4936	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2688	timeout.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
2264	svchost.exe
2264	svchost.exe
2292	svchost.exe
2292	svchost.exe
2264	svchost.exe
2264	svchost.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2940	svchost.exe
2940	svchost.exe
2940	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
Token: SeDebugPrivilege	4904	svchost.exe
Token: SeDebugPrivilege	2292	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2940	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 2352	3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe	87
PID 3156 wrote to memory of 2352	3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe	87
PID 3156 wrote to memory of 2352	3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe	87
PID 3156 wrote to memory of 3452	3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe	89
PID 3156 wrote to memory of 3452	3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe	89
PID 3156 wrote to memory of 3452	3156	7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe	89
PID 3452 wrote to memory of 2688	3452	cmd.exe	91
PID 3452 wrote to memory of 2688	3452	cmd.exe	91
PID 3452 wrote to memory of 2688	3452	cmd.exe	91
PID 2352 wrote to memory of 4936	2352	cmd.exe	92
PID 2352 wrote to memory of 4936	2352	cmd.exe	92
PID 2352 wrote to memory of 4936	2352	cmd.exe	92
PID 3452 wrote to memory of 4904	3452	cmd.exe	95
PID 3452 wrote to memory of 4904	3452	cmd.exe	95
PID 3452 wrote to memory of 4904	3452	cmd.exe	95
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 4904 wrote to memory of 2940	4904	svchost.exe	98
PID 2940 wrote to memory of 2264	2940	svchost.exe	103
PID 2940 wrote to memory of 2264	2940	svchost.exe	103
PID 2940 wrote to memory of 2264	2940	svchost.exe	103
PID 2940 wrote to memory of 2264	2940	svchost.exe	103
PID 2940 wrote to memory of 4076	2940	svchost.exe	104
PID 2940 wrote to memory of 4076	2940	svchost.exe	104
PID 2940 wrote to memory of 4076	2940	svchost.exe	104
PID 2940 wrote to memory of 4076	2940	svchost.exe	104
PID 2940 wrote to memory of 2292	2940	svchost.exe	105
PID 2940 wrote to memory of 2292	2940	svchost.exe	105
PID 2940 wrote to memory of 2292	2940	svchost.exe	105
PID 2940 wrote to memory of 2292	2940	svchost.exe	105

C:\Users\Admin\AppData\Local\Temp\7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7012be602b08edfbf8ba9bbb0a78b590_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D8C.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2688
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\dnlazs"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\oiqlalqgh"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:4076
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykddbdaivpyiw"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remc\logs.dat

Filesize
144B

MD5
92a781a0fd51bb2626610d588a689c85

SHA1
33f035a5f4fbc7f54de363230c7323150aade394

SHA256
058655110df9002269537997a9fa5c189f1d09dfb51030fbf76785d6b2927120

SHA512
1962251c0c2760adcf3123858b83528ff6d53341801f9af0fdae6f0296cb82d7b6f5fa4704bdc97f5405316f78e3195091812b94c505b41618b1014765a8ce58

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnlazs

Filesize
4KB

MD5
365f45018b7bcc98591979d6c4b23752

SHA1
073aff125450845105f5daa7d0e7cc24ee8bbca5

SHA256
27be905cdbf87c23851d00d61afd5fcfe5c72b1de227ac7d8c0dc5c7583c9a6e

SHA512
4bd0d2266c624b9ad40e9ba6cb4d63debd12f46f5c27afae3bfc20e3e7f5e9f9c88f83151166324223c5889034a4d70652cf747f6943af011191c64c28e18703

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D8C.tmp.bat

Filesize
151B

MD5
7de370f16f40de329bc63f7dab01f094

SHA1
624d6c78195d755ef381e1b76ed7d7e387497956

SHA256
8245610c69e3ea4f3301e9df2eec6e19afe3b6b26666ab95390dd9b4c23dfd0a

SHA512
3a6e52e72ebabc63138065fcda67d3af951619ddcb3698d0f8741644136260cc4ed4a599fb387b70a301df350a9e21a57ab13778eccec21d4ba9fed961d86262

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
8.4MB

MD5
7012be602b08edfbf8ba9bbb0a78b590

SHA1
3fb04fe68adc3a466d915a5ada209c4cb9baa09b

SHA256
6c293ea8f03820bb8aa0a32d819fe52f278a11edba5d8ca640da6dcec3aadb71

SHA512
3c47cceba6759001afcbbf569c05c0c429296cc8bb460e68950bf46b32ceb261fd3b4846445e94e8106a95e27dd7966f9a6356489eec6f38313a72b2c55c02ac

Download Submit
memory/2264-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2264-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2264-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2292-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2292-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2292-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-38-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-42-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-98-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-19-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-20-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-24-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-21-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-97-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-26-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-31-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-32-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-90-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-34-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-35-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-37-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-36-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-75-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-81-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-43-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-74-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2940-73-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2940-70-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2940-67-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-66-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-82-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2940-89-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3156-3-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/3156-2-0x0000000005A50000-0x0000000005AC6000-memory.dmp

Filesize
472KB

Download
memory/3156-4-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/3156-5-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/3156-6-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/3156-1-0x0000000000800000-0x0000000001062000-memory.dmp

Filesize
8.4MB

Download
memory/3156-13-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/3156-7-0x0000000005C80000-0x0000000005D72000-memory.dmp

Filesize
968KB

Download
memory/3156-8-0x0000000005ED0000-0x0000000005EEA000-memory.dmp

Filesize
104KB

Download
memory/3156-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/4076-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4076-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4076-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4904-33-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/4904-25-0x0000000006170000-0x000000000617A000-memory.dmp

Filesize
40KB

Download
memory/4904-18-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download