Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2024 12:27

General

  • Target

    1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe

  • Size

    1.3MB

  • MD5

    73d006e33d8eda033e684c07b15c53ad

  • SHA1

    e3e0a09b37beee1e19d5a6b9fd5322f906f4493d

  • SHA256

    0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160

  • SHA512

    1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db

  • SSDEEP

    24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.149:2888

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7Q1GRN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
    "C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2812
      • \??\c:\program files (x86)\internet explorer\iexplore.exe
        "c:\program files (x86)\internet explorer\iexplore.exe"
        3⤵
          PID:312

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=
      Remote address:
      13.107.21.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=2E7397424B3D63CB1341838D4ADD62AF; domain=.bing.com; expires=Wed, 27-Aug-2025 12:28:17 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: FBD3354634464568B8C7363916F9C99D Ref B: LON04EDGE1021 Ref C: 2024-08-02T12:28:17Z
      date: Fri, 02 Aug 2024 12:28:16 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=
      Remote address:
      13.107.21.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2E7397424B3D63CB1341838D4ADD62AF
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=m73DVUcFJM93n1seCWmh-JuqFjuRGk759r6Qo7t18BY; domain=.bing.com; expires=Wed, 27-Aug-2025 12:28:17 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0777D8AA6F66472F9A5B13405A4E15EF Ref B: LON04EDGE1021 Ref C: 2024-08-02T12:28:17Z
      date: Fri, 02 Aug 2024 12:28:16 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=
      Remote address:
      13.107.21.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2E7397424B3D63CB1341838D4ADD62AF; MSPTC=m73DVUcFJM93n1seCWmh-JuqFjuRGk759r6Qo7t18BY
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E9627BF9472C472C87EE8F1D5CFBCAD3 Ref B: LON04EDGE1021 Ref C: 2024-08-02T12:28:17Z
      date: Fri, 02 Aug 2024 12:28:16 GMT
    • flag-us
      DNS
      140.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.21.107.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.21.107.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      203.142.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.142.123.92.in-addr.arpa
      IN PTR
      Response
      203.142.123.92.in-addr.arpa
      IN PTR
      a92-123-142-203deploystaticakamaitechnologiescom
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      233.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.143.123.92.in-addr.arpa
      IN PTR
      Response
      233.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-233deploystaticakamaitechnologiescom
    • 13.107.21.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=
      tls, http2
      2.0kB
      9.3kB
      22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      13.107.21.237
      204.79.197.237

    • 8.8.8.8:53
      140.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      140.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      237.21.107.13.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      237.21.107.13.in-addr.arpa

    • 8.8.8.8:53
      203.142.123.92.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      203.142.123.92.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      233.143.123.92.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      233.143.123.92.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/312-16-0x0000000000F40000-0x0000000000F4E000-memory.dmp

      Filesize

      56KB

    • memory/312-18-0x0000000000F40000-0x0000000000F4E000-memory.dmp

      Filesize

      56KB

    • memory/312-20-0x0000000000F40000-0x0000000000F4E000-memory.dmp

      Filesize

      56KB

    • memory/312-15-0x0000000000F40000-0x0000000000F4E000-memory.dmp

      Filesize

      56KB

    • memory/2772-10-0x0000000000C60000-0x0000000000C64000-memory.dmp

      Filesize

      16KB

    • memory/2812-11-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/2812-12-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/2812-13-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/2812-14-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/2812-19-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.