remcos | c362c9041673c2475a3aecfa463941fde1935d452a5489a6f2a6a997053c92cf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JY-PCB-240109A-3.exe
Size

21KB
MD5

e05b80c579472d630f481820526c75f5
SHA1

7dca7c4bda5302e67ec87073b040ede2be781a6a
SHA256

2e410769ac9f0e71df08fda7115ccc473815a0f200a19059972d2c7b6190af4f
SHA512

c2b2e567713e3c712a6611a1255270e6695b26e136c80428860fe86a46e9eab5e589085c7bcc5213e0218a67e99949efaf5109fed2975668e8ecf87d11612feb
SSDEEP

384:ilFLVGZkhqIg8hR2GZsHEuymVr3JmJZzyF/O7v6qEfTivVqsSqncKxXFY:iTiYxBu93JmvyqEfuNqUcKxXFY

Score

10^/10

remcos remotehost agilenet collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.133.116.123:63650

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3BFGTU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2844-40-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2844-35-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2844-45-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral2/memory/5728-39-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2844-40-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2844-35-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2844-45-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3104-7-0x00000000063C0000-0x0000000006442000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	JY-PCB-240109A-3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JY-PCB-240109A-3 = "C:\\Users\\Admin\\Documents\\JY-PCB-240109A-3.pif"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3104 set thread context of 2772	3104	JY-PCB-240109A-3.exe	95
PID 2772 set thread context of 2844	2772	JY-PCB-240109A-3.exe	98
PID 2772 set thread context of 2084	2772	JY-PCB-240109A-3.exe	100
PID 2772 set thread context of 5728	2772	JY-PCB-240109A-3.exe	101

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
2844	JY-PCB-240109A-3.exe
2844	JY-PCB-240109A-3.exe
5728	JY-PCB-240109A-3.exe
5728	JY-PCB-240109A-3.exe
2844	JY-PCB-240109A-3.exe
2844	JY-PCB-240109A-3.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2772	JY-PCB-240109A-3.exe
2772	JY-PCB-240109A-3.exe
2772	JY-PCB-240109A-3.exe
2772	JY-PCB-240109A-3.exe
2772	JY-PCB-240109A-3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	JY-PCB-240109A-3.exe
Token: SeDebugPrivilege	5728	JY-PCB-240109A-3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2772	JY-PCB-240109A-3.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4056	3104	JY-PCB-240109A-3.exe	88
PID 3104 wrote to memory of 4056	3104	JY-PCB-240109A-3.exe	88
PID 3104 wrote to memory of 4056	3104	JY-PCB-240109A-3.exe	88
PID 4056 wrote to memory of 3100	4056	cmd.exe	90
PID 4056 wrote to memory of 3100	4056	cmd.exe	90
PID 4056 wrote to memory of 3100	4056	cmd.exe	90
PID 3104 wrote to memory of 1756	3104	JY-PCB-240109A-3.exe	93
PID 3104 wrote to memory of 1756	3104	JY-PCB-240109A-3.exe	93
PID 3104 wrote to memory of 1756	3104	JY-PCB-240109A-3.exe	93
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	95
PID 2772 wrote to memory of 5444	2772	JY-PCB-240109A-3.exe	97
PID 2772 wrote to memory of 5444	2772	JY-PCB-240109A-3.exe	97
PID 2772 wrote to memory of 5444	2772	JY-PCB-240109A-3.exe	97
PID 2772 wrote to memory of 2844	2772	JY-PCB-240109A-3.exe	98
PID 2772 wrote to memory of 2844	2772	JY-PCB-240109A-3.exe	98
PID 2772 wrote to memory of 2844	2772	JY-PCB-240109A-3.exe	98
PID 2772 wrote to memory of 2844	2772	JY-PCB-240109A-3.exe	98
PID 2772 wrote to memory of 5528	2772	JY-PCB-240109A-3.exe	99
PID 2772 wrote to memory of 5528	2772	JY-PCB-240109A-3.exe	99
PID 2772 wrote to memory of 5528	2772	JY-PCB-240109A-3.exe	99
PID 2772 wrote to memory of 2084	2772	JY-PCB-240109A-3.exe	100
PID 2772 wrote to memory of 2084	2772	JY-PCB-240109A-3.exe	100
PID 2772 wrote to memory of 2084	2772	JY-PCB-240109A-3.exe	100
PID 2772 wrote to memory of 2084	2772	JY-PCB-240109A-3.exe	100
PID 2772 wrote to memory of 5728	2772	JY-PCB-240109A-3.exe	101
PID 2772 wrote to memory of 5728	2772	JY-PCB-240109A-3.exe	101
PID 2772 wrote to memory of 5728	2772	JY-PCB-240109A-3.exe	101
PID 2772 wrote to memory of 5728	2772	JY-PCB-240109A-3.exe	101

C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
"C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JY-PCB-240109A-3" /t REG_SZ /F /D "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JY-PCB-240109A-3" /t REG_SZ /F /D "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"
    3⤵
    - Adds Run key to start application
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe" "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
  "C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
    C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\azpgmsqeedopdrbxxnpwsqgbmbsvbf"
    3⤵
    PID:5444
- - C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
    C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\azpgmsqeedopdrbxxnpwsqgbmbsvbf"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
    C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltuynkbfalgcgxybgyjydvssuqkdcqzvk"
    3⤵
    PID:5528
- - C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
    C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltuynkbfalgcgxybgyjydvssuqkdcqzvk"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2084
- - C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
    C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\vvajo"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
2cfb3fc4fa5e0bf23f8dec19d3a3fe38

SHA1
28dded559ed4955ba74d590eab14568df53c0a74

SHA256
6c67ca29421a82bd235ee9cbe7999a34f05e48181fa1a992f891773c6a5d5a9b

SHA512
3cb3d3e7ddb30f267628b44986c9b38ff63374c0ae20142fd1344c62bb99421dc68a8b7ddf1f080550549b825599afb4b15983d204329fbd295abdf981e64827

Download Submit
C:\Users\Admin\AppData\Local\Temp\azpgmsqeedopdrbxxnpwsqgbmbsvbf

Filesize
4KB

MD5
042bbbff30c31fcbdd7f9b0ed3935ca5

SHA1
c333db2dceaf9a524147155c79756bc32eda6b03

SHA256
626ae16f54b4ca656b0267dade381d30bf042a06ba69b8851e33ab14da2bd9fe

SHA512
7f3a8eee89225ced48f8bc69d168713377e0316df3e46b544d9f7bc2c84305020eca3094c8246c8c934e22bd7643ae11f4a1560c3fe7aa717604869bcffa48fe

Download Submit
memory/2084-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2084-32-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2772-51-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2772-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-50-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2772-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-47-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2844-40-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2844-30-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2844-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2844-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2844-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3104-5-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/3104-4-0x0000000004FE0000-0x0000000005056000-memory.dmp

Filesize
472KB

Download
memory/3104-6-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3104-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/3104-2-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/3104-1-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/3104-7-0x00000000063C0000-0x0000000006442000-memory.dmp

Filesize
520KB

Download
memory/3104-8-0x0000000005150000-0x000000000516E000-memory.dmp

Filesize
120KB

Download
memory/3104-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/3104-9-0x0000000006620000-0x00000000066BC000-memory.dmp

Filesize
624KB

Download
memory/3104-22-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3104-10-0x0000000006730000-0x0000000006796000-memory.dmp

Filesize
408KB

Download
memory/5728-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5728-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5728-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download