remcos | f7cca6f85fcacfbf3382ae3b97637387d23e07fa47739d0ea7ad1480efa776b1

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Topaz Revised Vessel Pacificpdf.exe
Size

1.3MB
MD5

a427fb52c91af9905ae9342fda2cae62
SHA1

6ab4e88d669e199766fe47700340d98928fd9e5d
SHA256

13e0f498713a8332c6de3766269a07b27c87515fde4c2b92ca5a4433e8a692c9
SHA512

50f669db2df1dcec19c9dfb7031a496dcb04f75d6adf0fd2f101636b49f0365685bac8b7f853d500c40b02ec8e30013cc8b52c3ce7229475923c88339e23e9d6
SSDEEP

24576:QqDEvCTbMWu7rQYlBQcBiT6rprG8a1doUxYv4qUmxXh76Jrl21/7wesAZPx:QTvC/MTQYxsWR7a1drivrlh76m19

Score

10^/10

remcos remotehost collection credential_access discovery rat stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

194.169.175.190:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LBZ2BK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1624-60-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4400-59-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4988-65-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4988-65-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1624-60-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 944	2096	Topaz Revised Vessel Pacificpdf.exe	99
PID 944 set thread context of 1624	944	svchost.exe	112
PID 944 set thread context of 4988	944	svchost.exe	113
PID 944 set thread context of 4400	944	svchost.exe	114

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Topaz Revised Vessel Pacificpdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Topaz Revised Vessel Pacificpdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Topaz Revised Vessel Pacificpdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1624	svchost.exe
1624	svchost.exe
4400	svchost.exe
4400	svchost.exe
1624	svchost.exe
1624	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2368	Topaz Revised Vessel Pacificpdf.exe
3876	Topaz Revised Vessel Pacificpdf.exe
2096	Topaz Revised Vessel Pacificpdf.exe
944	svchost.exe
944	svchost.exe
944	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2368	Topaz Revised Vessel Pacificpdf.exe
2368	Topaz Revised Vessel Pacificpdf.exe
3876	Topaz Revised Vessel Pacificpdf.exe
3876	Topaz Revised Vessel Pacificpdf.exe
2096	Topaz Revised Vessel Pacificpdf.exe
2096	Topaz Revised Vessel Pacificpdf.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2368	Topaz Revised Vessel Pacificpdf.exe
2368	Topaz Revised Vessel Pacificpdf.exe
3876	Topaz Revised Vessel Pacificpdf.exe
3876	Topaz Revised Vessel Pacificpdf.exe
2096	Topaz Revised Vessel Pacificpdf.exe
2096	Topaz Revised Vessel Pacificpdf.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3900	2368	Topaz Revised Vessel Pacificpdf.exe	94
PID 2368 wrote to memory of 3900	2368	Topaz Revised Vessel Pacificpdf.exe	94
PID 2368 wrote to memory of 3900	2368	Topaz Revised Vessel Pacificpdf.exe	94
PID 2368 wrote to memory of 3876	2368	Topaz Revised Vessel Pacificpdf.exe	95
PID 2368 wrote to memory of 3876	2368	Topaz Revised Vessel Pacificpdf.exe	95
PID 2368 wrote to memory of 3876	2368	Topaz Revised Vessel Pacificpdf.exe	95
PID 3876 wrote to memory of 4224	3876	Topaz Revised Vessel Pacificpdf.exe	96
PID 3876 wrote to memory of 4224	3876	Topaz Revised Vessel Pacificpdf.exe	96
PID 3876 wrote to memory of 4224	3876	Topaz Revised Vessel Pacificpdf.exe	96
PID 3876 wrote to memory of 2096	3876	Topaz Revised Vessel Pacificpdf.exe	97
PID 3876 wrote to memory of 2096	3876	Topaz Revised Vessel Pacificpdf.exe	97
PID 3876 wrote to memory of 2096	3876	Topaz Revised Vessel Pacificpdf.exe	97
PID 2096 wrote to memory of 944	2096	Topaz Revised Vessel Pacificpdf.exe	99
PID 2096 wrote to memory of 944	2096	Topaz Revised Vessel Pacificpdf.exe	99
PID 2096 wrote to memory of 944	2096	Topaz Revised Vessel Pacificpdf.exe	99
PID 2096 wrote to memory of 944	2096	Topaz Revised Vessel Pacificpdf.exe	99
PID 944 wrote to memory of 1624	944	svchost.exe	112
PID 944 wrote to memory of 1624	944	svchost.exe	112
PID 944 wrote to memory of 1624	944	svchost.exe	112
PID 944 wrote to memory of 1624	944	svchost.exe	112
PID 944 wrote to memory of 4988	944	svchost.exe	113
PID 944 wrote to memory of 4988	944	svchost.exe	113
PID 944 wrote to memory of 4988	944	svchost.exe	113
PID 944 wrote to memory of 4988	944	svchost.exe	113
PID 944 wrote to memory of 4400	944	svchost.exe	114
PID 944 wrote to memory of 4400	944	svchost.exe	114
PID 944 wrote to memory of 4400	944	svchost.exe	114
PID 944 wrote to memory of 4400	944	svchost.exe	114

C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe
"C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe"
  2⤵
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe"
    3⤵
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Topaz Revised Vessel Pacificpdf.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\zpatzvvpjpwgkfxiywmrcesydzuo"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\jjfezogrxxotnltmhhylfjmplglwuco"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4988
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ulkwsgqklfgyxrhqqslmqwzgumvfnnfuxt"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
1⤵
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut6F20.tmp

Filesize
418KB

MD5
f6bebf2e0ae44d3f4a80d7bd9abf613f

SHA1
78258cc83a47c6387640e1cf7362508cbe836594

SHA256
67d69efb9cb80f4ac224f4994bde50f5bd3cf4ea0f67b6e41dd45cf23c50e6b5

SHA512
45286ff265c9d656b4eaec25ba7a332d757c1403e94be73e1f622eac4d2f1c17d8c0f73015d78367fa3ea3231fa4d64a86f0957a02b0cd860cc338dfaee82bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6F31.tmp

Filesize
42KB

MD5
683f4fb80fb92f084c929ba76fe2c669

SHA1
c119fac8af006ef4ac4441a10d8867c67d0ea1fb

SHA256
e27db2a61d8626dfb898394a27ab6330995624c997deb9855d486f744da0e8bb

SHA512
17b5952174526ebe138244cac2826a127f456313add30fbb64f3cea144756429507a8bb8137080cc636666c2e8cda34361f41ab7776dd201179902e70c0608aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\seskin

Filesize
483KB

MD5
e3cffdfde25feff38ac505c01c856654

SHA1
4448c11283eef1458cb8d33b403d5efdfdcf18dc

SHA256
ed9a31ef5e3a53be564e8adbee3b880aa03454bd8a6ee5075da3368179850ed4

SHA512
2bf69c4ddf9c66f338c10f5d7688d79f9b12a8e0bba24622404c96cd62593a546a54408df21014b87ae06850518f9dfcd891cd26cef03168fbd17e941e3b2c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\unfatiguing

Filesize
84KB

MD5
e3dded0db1841662749a393616b4aeba

SHA1
125b6b88d6f4e82cca8bf03cb1f6c4a953bf1a25

SHA256
efa2c48856dfd519ad215d0510850d83c7c5164481530b4a9d8e2af2302d24df

SHA512
c2a59056a36af48b8b724f5023ce85ccb10cec364f631a5204a9dd84210b40436e33860aa4672ea9edba92ea17f8217725069f795f967954bbb3c3505e068366

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpatzvvpjpwgkfxiywmrcesydzuo

Filesize
4KB

MD5
cda83eba5a004554ccdc061fd3df499c

SHA1
58ff2ecb9d47be10335e104896c87c62dc328523

SHA256
e384f4d46587646c6e0f9d2ee90b7bc57b49cea936b37cf8ab81ef3c4ce468ac

SHA512
f55ce20f0cf8b603fad765b889607f967c22d377fa4ac417ba1309d0aced9231e197bb4107d1c92bb99f51c04cc68ce26148727a8b694886710100c01f3de597

Download Submit
memory/944-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-74-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/944-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-78-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/944-77-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/944-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/944-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-11-0x0000000000900000-0x0000000000904000-memory.dmp

Filesize
16KB

Download
memory/4400-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4400-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4400-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4988-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4988-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4988-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download