remcos | b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/08/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
Size

1.3MB
MD5

3a24f085a5bc458b449ddb54fa2386d4
SHA1

5186dff78d989fece2317d3c308ddbab99e84361
SHA256

b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe
SHA512

cedac0eba0b0e93caf68acefa9d66969836be0f7860d9603725ce183c90600ca252e5940558981459ee16c656035bd52ea84c47aa532200a59560d3bdaaad88e
SSDEEP

24576:vqDEvCTbMWu7rQYlBQcBiT6rprG8aZ7hUzUlcybrMUUY8:vTvC/MTQYxsWR7aZyVy8nY

Score

10^/10

remcos gasplant discovery rat

Malware Config

Extracted

Family

remcos

Botnet

gasplant

whitelend-ind.com:30901

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Chrome
mouse_option
false
mutex
chrome-7EL1DB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.vbs	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	chrome.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa63-14.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
436	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
436	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
2924	chrome.exe
2924	chrome.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
436	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
436	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
2924	chrome.exe
2924	chrome.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2924	436	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe	82
PID 436 wrote to memory of 2924	436	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe	82
PID 436 wrote to memory of 2924	436	b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe	82

C:\Users\Admin\AppData\Local\Temp\b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe
"C:\Users\Admin\AppData\Local\Temp\b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\directory\chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome\logs.dat

Filesize
144B

MD5
5919585e07a6d10bffc822affa15ee04

SHA1
d05b2a08031388b641597123a159ee54bb4a1237

SHA256
631b2db50765d5c24e290143e33d28d1a4571d743708d6c03154d70a38f5943c

SHA512
2172bebade7ec37ac7646766b32f3126d0c2f5038af53a9580068b2aab7e2194e59a69dfb117d33dfca18f74733261903ca5b1c795e75434e7cf9f5cda0e1238

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mazatl

Filesize
84KB

MD5
cb0d03a966c28a6249d47ca9fd3a6296

SHA1
5672654bea07caf3e398e16a26e5f540c39de898

SHA256
04da214567a6820dfd17868b10c011193f89dcac573fb4aee24325208b304605

SHA512
291853903f7f0ef21a200583ebd6b06cb38a3a6817487cb6c05a652bebfdaabdc5062b93c85443ae4bbe701115e0357dd4c67c467e4723abc2af925dac8b5639

Download Submit
C:\Users\Admin\AppData\Local\Temp\epistemology

Filesize
483KB

MD5
5d04eed87d21d597b980e79949c595ba

SHA1
3701ccf4055b959b487fa311a9b241060305b6ca

SHA256
7201d277c34403811912a48da6d17f5a826ba10cffcd61ef7bafe7dcf28e5e1a

SHA512
556a6a6fbaf9ec6eeb3b8636e9942c4132d309b5f6cab3675b7f38134d0e75ac9ddb685f187efa693cca33d9cea4bb9991e282ee1777de67da02cdd94633623b

Download Submit
C:\Users\Admin\AppData\Local\directory\chrome.exe

Filesize
1.3MB

MD5
3a24f085a5bc458b449ddb54fa2386d4

SHA1
5186dff78d989fece2317d3c308ddbab99e84361

SHA256
b833db95708c829952de0ab64c287541fdc039d70d6d5f57ed705c7ee0b435fe

SHA512
cedac0eba0b0e93caf68acefa9d66969836be0f7860d9603725ce183c90600ca252e5940558981459ee16c656035bd52ea84c47aa532200a59560d3bdaaad88e

Download Submit
memory/436-11-0x0000000001BA0000-0x0000000001BA4000-memory.dmp

Filesize
16KB

Download
memory/2924-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download