remcos | 75606480411880eeb9d14c377db8be1f2c73a8a4a88732b18a0119c9481ddacd

Analysis

max time kernel
299s
max time network
279s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-08-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MHsdclJwVvtwjza.exe
Size

978KB
MD5

871ca065a899e7ef61372f0ad57aba15
SHA1

05431bb56378a51f20b32a58a347eca010e91895
SHA256

75606480411880eeb9d14c377db8be1f2c73a8a4a88732b18a0119c9481ddacd
SHA512

45e0a72e7d8193cb839c71de1f2f9357babe10f084697edc90d673cdbdab52e1e4d9afa8e52e154999cfde1e588c1f86164d0d6ea9e68d74362c536c072c94af
SSDEEP

24576:/iFdlLzNJWGd3o2rg7otbun1iNMeT8Rmzaip7BMD8Qr:aFXuGdxrg7oti1iNMeT8kmD8Qr

Score

10^/10

remcos bcv collection credential_access discovery execution rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

BCV

tvq3101.sytes.net:1974

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9PFUGS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1656-284-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4272-283-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3412-288-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1656-284-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4272-283-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
308	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	MHsdclJwVvtwjza.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3652 set thread context of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3504 set thread context of 4272	3504	MHsdclJwVvtwjza.exe	77
PID 3504 set thread context of 1656	3504	MHsdclJwVvtwjza.exe	78
PID 3504 set thread context of 3412	3504	MHsdclJwVvtwjza.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHsdclJwVvtwjza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHsdclJwVvtwjza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHsdclJwVvtwjza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHsdclJwVvtwjza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHsdclJwVvtwjza.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
308	powershell.exe
308	powershell.exe
308	powershell.exe
4272	MHsdclJwVvtwjza.exe
4272	MHsdclJwVvtwjza.exe
3412	MHsdclJwVvtwjza.exe
3412	MHsdclJwVvtwjza.exe
4272	MHsdclJwVvtwjza.exe
4272	MHsdclJwVvtwjza.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3504	MHsdclJwVvtwjza.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3504	MHsdclJwVvtwjza.exe
3504	MHsdclJwVvtwjza.exe
3504	MHsdclJwVvtwjza.exe
3504	MHsdclJwVvtwjza.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	3412	MHsdclJwVvtwjza.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3504	MHsdclJwVvtwjza.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3504	MHsdclJwVvtwjza.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3504	MHsdclJwVvtwjza.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 308	3652	MHsdclJwVvtwjza.exe	73
PID 3652 wrote to memory of 308	3652	MHsdclJwVvtwjza.exe	73
PID 3652 wrote to memory of 308	3652	MHsdclJwVvtwjza.exe	73
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3652 wrote to memory of 3504	3652	MHsdclJwVvtwjza.exe	75
PID 3504 wrote to memory of 4272	3504	MHsdclJwVvtwjza.exe	77
PID 3504 wrote to memory of 4272	3504	MHsdclJwVvtwjza.exe	77
PID 3504 wrote to memory of 4272	3504	MHsdclJwVvtwjza.exe	77
PID 3504 wrote to memory of 4272	3504	MHsdclJwVvtwjza.exe	77
PID 3504 wrote to memory of 1656	3504	MHsdclJwVvtwjza.exe	78
PID 3504 wrote to memory of 1656	3504	MHsdclJwVvtwjza.exe	78
PID 3504 wrote to memory of 1656	3504	MHsdclJwVvtwjza.exe	78
PID 3504 wrote to memory of 1656	3504	MHsdclJwVvtwjza.exe	78
PID 3504 wrote to memory of 4680	3504	MHsdclJwVvtwjza.exe	79
PID 3504 wrote to memory of 4680	3504	MHsdclJwVvtwjza.exe	79
PID 3504 wrote to memory of 4680	3504	MHsdclJwVvtwjza.exe	79
PID 3504 wrote to memory of 3412	3504	MHsdclJwVvtwjza.exe	80
PID 3504 wrote to memory of 3412	3504	MHsdclJwVvtwjza.exe	80
PID 3504 wrote to memory of 3412	3504	MHsdclJwVvtwjza.exe	80
PID 3504 wrote to memory of 3412	3504	MHsdclJwVvtwjza.exe	80

C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe
"C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe
  "C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe
    C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe /stext "C:\Users\Admin\AppData\Local\Temp\pvsnng"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4272
- - C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe
    C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe /stext "C:\Users\Admin\AppData\Local\Temp\apfyoyfnu"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe
    C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe /stext "C:\Users\Admin\AppData\Local\Temp\krkrpqppivfm"
    3⤵
    PID:4680
- - C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe
    C:\Users\Admin\AppData\Local\Temp\MHsdclJwVvtwjza.exe /stext "C:\Users\Admin\AppData\Local\Temp\krkrpqppivfm"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
220B

MD5
857fac90cf9ddbfe760aa93ad0924b63

SHA1
77b2ca6d45743a11e58bea1a3faabb41b89cc6d4

SHA256
fefb6df21d231331502b538b186c71ea0a1b399a16cc9241ff0075322fe99dc6

SHA512
0163f7a7c8fc2052ae742328dc29009b2bfe1be5b1a99d7b6fe6c67a73f294554b1ec394b2920fbdf9cadf51679c9bcb2f0999a140a1051e44175ef27dd8417e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3omoh50.nxl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvsnng

Filesize
4KB

MD5
cb998c648b6f4ad55a89eb482aac3598

SHA1
0965844779ba17661d18e216289ae0422777b689

SHA256
ea32319f2bc8d294d729b82a946fb2a0eedf37902a04c01efb5a75efbecdb395

SHA512
97dedfbc8ad9b6149a8e044669efb69539ba9f738b032aa2408e759dd16b86f86d9364af2f229c2fad70c8ede6a42767c5f112a2eb7452de6334ac2b34dc4124

Download Submit
memory/308-58-0x0000000009190000-0x0000000009224000-memory.dmp

Filesize
592KB

Download
memory/308-52-0x0000000008C50000-0x0000000008C6E000-memory.dmp

Filesize
120KB

Download
memory/308-30-0x0000000007530000-0x000000000754C000-memory.dmp

Filesize
112KB

Download
memory/308-29-0x00000000077C0000-0x0000000007B10000-memory.dmp

Filesize
3.3MB

Download
memory/308-28-0x00000000074C0000-0x0000000007526000-memory.dmp

Filesize
408KB

Download
memory/308-27-0x0000000006DA0000-0x0000000006E06000-memory.dmp

Filesize
408KB

Download
memory/308-19-0x00000000042C0000-0x00000000042F6000-memory.dmp

Filesize
216KB

Download
memory/308-256-0x0000000009120000-0x0000000009128000-memory.dmp

Filesize
32KB

Download
memory/308-251-0x0000000009130000-0x000000000914A000-memory.dmp

Filesize
104KB

Download
memory/308-31-0x0000000007E90000-0x0000000007EDB000-memory.dmp

Filesize
300KB

Download
memory/308-57-0x0000000008DB0000-0x0000000008E55000-memory.dmp

Filesize
660KB

Download
memory/308-26-0x0000000006C00000-0x0000000006C22000-memory.dmp

Filesize
136KB

Download
memory/308-51-0x0000000070EC0000-0x0000000070F0B000-memory.dmp

Filesize
300KB

Download
memory/308-20-0x0000000006E20000-0x0000000007448000-memory.dmp

Filesize
6.2MB

Download
memory/308-50-0x0000000008C70000-0x0000000008CA3000-memory.dmp

Filesize
204KB

Download
memory/308-32-0x0000000007D30000-0x0000000007DA6000-memory.dmp

Filesize
472KB

Download
memory/1656-280-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1656-284-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1656-282-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3412-288-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3412-285-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3412-286-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3504-274-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-368-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-367-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-360-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-359-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-352-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-351-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-261-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-262-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-344-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-275-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-278-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-343-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-336-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-335-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-328-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-327-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-320-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-319-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-312-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-293-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3504-296-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3504-297-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3504-298-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-299-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-303-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-304-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3504-311-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3652-5-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/3652-4-0x0000000004D90000-0x0000000004D9A000-memory.dmp

Filesize
40KB

Download
memory/3652-10-0x000000000A160000-0x000000000A1FC000-memory.dmp

Filesize
624KB

Download
memory/3652-1-0x0000000000300000-0x00000000003F8000-memory.dmp

Filesize
992KB

Download
memory/3652-2-0x0000000005240000-0x000000000573E000-memory.dmp

Filesize
5.0MB

Download
memory/3652-3-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/3652-0-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

Filesize
4KB

Download
memory/3652-16-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/3652-9-0x0000000007920000-0x00000000079E0000-memory.dmp

Filesize
768KB

Download
memory/3652-8-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/3652-6-0x0000000005210000-0x0000000005228000-memory.dmp

Filesize
96KB

Download
memory/3652-7-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

Filesize
4KB

Download
memory/4272-281-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4272-279-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4272-283-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download