remcos | b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
Size

1.3MB
MD5

3a24f085a5bc458b449ddb54fa2386d4
SHA1

5186dff78d989fece2317d3c308ddbab99e84361
SHA256

b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe
SHA512

cedac0eba0b0e93caf68acefa9d66969836be0f7860d9603725ce183c90600ca252e5940558981459ee16c656035bd52ea84c47aa532200a59560d3bdaaad88e
SSDEEP

24576:vqDEvCTbMWu7rQYlBQcBiT6rprG8aZ7hUzUlcybrMUUY8:vTvC/MTQYxsWR7aZyVy8nY

Score

10^/10

remcos gasplant discovery rat

Malware Config

Extracted

Family

remcos

Botnet

gasplant

whitelend-ind.com:30901

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Chrome
mouse_option
false
mutex
chrome-7EL1DB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.vbs	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
1604	chrome.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a000000023408-14.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4060	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
4060	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
1604	chrome.exe
1604	chrome.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4060	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
4060	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
1604	chrome.exe
1604	chrome.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1604	4060	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe	87
PID 4060 wrote to memory of 1604	4060	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe	87
PID 4060 wrote to memory of 1604	4060	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe	87

C:\Users\Admin\AppData\Local\Temp\b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
"C:\Users\Admin\AppData\Local\Temp\b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\directory\chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome\logs.dat

Filesize
144B

MD5
1cdf4949a1517ead00f2781bca4fdad6

SHA1
6d25722240b563a454c14c90a96b5b2ec6b44774

SHA256
ebe2dd3d31503f278e21df76e8c3401917309dc52cbd0b25ac5c75e057217926

SHA512
f173ffe6688a7911639057d1d948e442f9a232fa0a59b9db0f18d33b91695f6adf121a1713b7ba231faff8573b0c95ef317efeaa7bc98520fd7313fd801b0ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mazatl

Filesize
84KB

MD5
cb0d03a966c28a6249d47ca9fd3a6296

SHA1
5672654bea07caf3e398e16a26e5f540c39de898

SHA256
04da214567a6820dfd17868b10c011193f89dcac573fb4aee24325208b304605

SHA512
291853903f7f0ef21a200583ebd6b06cb38a3a6817487cb6c05a652bebfdaabdc5062b93c85443ae4bbe701115e0357dd4c67c467e4723abc2af925dac8b5639

Download Submit
C:\Users\Admin\AppData\Local\directory\chrome.exe

Filesize
1.3MB

MD5
3a24f085a5bc458b449ddb54fa2386d4

SHA1
5186dff78d989fece2317d3c308ddbab99e84361

SHA256
b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe

SHA512
cedac0eba0b0e93caf68acefa9d66969836be0f7860d9603725ce183c90600ca252e5940558981459ee16c656035bd52ea84c47aa532200a59560d3bdaaad88e

Download Submit
memory/1604-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4060-11-0x0000000000A10000-0x0000000000A14000-memory.dmp

Filesize
16KB

Download