remcos | 79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
Size

922KB
MD5

fa2cbbd8f8f8752294d9ece90f43d916
SHA1

c9a85499d49606fbc9244b1f36464692a5e8d5b9
SHA256

79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99
SHA512

8b256caa6538b46dc9a8fb197b506eb364b4bd1d54e0d095866908b9f6b72d1d4c1ad6ce3f216c688c8489d4502fe0f8aff36211dc56180dd7204c0e3c03ac95
SSDEEP

12288:M4ndmoiGkOcTXipV/O/zArnSDWE0V65S0jOMS2o9PADoGvSkwVgd:ZngIfW/zArSDo05SAOjpjGv/wV

Score

10^/10

remcos remotehost collection execution rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.175.229.139:8823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2BGC0K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1588-46-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2596-47-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1592-51-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2596-47-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1588-46-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 372 set thread context of 1588	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	34
PID 372 set thread context of 2596	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	35
PID 372 set thread context of 1592	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	36

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2952	Powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2952	Powershell.exe
1588	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
1588	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	Powershell.exe
Token: SeDebugPrivilege	1592	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2952	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	30
PID 2460 wrote to memory of 2952	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	30
PID 2460 wrote to memory of 2952	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	30
PID 2460 wrote to memory of 2952	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	30
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 2460 wrote to memory of 372	2460	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	32
PID 372 wrote to memory of 2536	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	33
PID 372 wrote to memory of 2536	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	33
PID 372 wrote to memory of 2536	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	33
PID 372 wrote to memory of 2536	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	33
PID 372 wrote to memory of 1588	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	34
PID 372 wrote to memory of 1588	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	34
PID 372 wrote to memory of 1588	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	34
PID 372 wrote to memory of 1588	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	34
PID 372 wrote to memory of 1588	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	34
PID 372 wrote to memory of 2596	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	35
PID 372 wrote to memory of 2596	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	35
PID 372 wrote to memory of 2596	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	35
PID 372 wrote to memory of 2596	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	35
PID 372 wrote to memory of 2596	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	35
PID 372 wrote to memory of 1592	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	36
PID 372 wrote to memory of 1592	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	36
PID 372 wrote to memory of 1592	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	36
PID 372 wrote to memory of 1592	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	36
PID 372 wrote to memory of 1592	372	79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe	36

C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
"C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
  "C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
    C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe /stext "C:\Users\Admin\AppData\Local\Temp\dukt"
    3⤵
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
    C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe /stext "C:\Users\Admin\AppData\Local\Temp\dukt"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
    C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe /stext "C:\Users\Admin\AppData\Local\Temp\oopmvea"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe
    C:\Users\Admin\AppData\Local\Temp\79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99.exe /stext "C:\Users\Admin\AppData\Local\Temp\qrvewwlspil"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
2b764991234d51b29b3215d1d47e6ac5

SHA1
67b9bb2455e93133543ab7aa91daacbe66db13c5

SHA256
c3670af685e1b2a047123ad87523d09fb6d0b254db46e1284eea44cc5c95054c

SHA512
44e81870fe45b624d9af1e6b79dd7faa088695fc1bb02d9586ee655ff3a3b386de136411b60da677b25d763fbf6cf533e723182d6c81443299843dae62fe683c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dukt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/372-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-62-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/372-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/372-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/372-61-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/372-58-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/372-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1588-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1592-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1592-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1592-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2460-2-0x0000000000F70000-0x000000000101E000-memory.dmp

Filesize
696KB

Download
memory/2460-11-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2460-3-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2460-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2460-1-0x0000000001140000-0x000000000122C000-memory.dmp

Filesize
944KB

Download
memory/2460-31-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-47-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2596-45-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2596-43-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2952-33-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-10-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-7-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-8-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-9-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-6-0x000000006F4A1000-0x000000006F4A2000-memory.dmp

Filesize
4KB

Download