remcos | 406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5

Analysis

max time kernel
148s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SALKI098765R400.exe
Size

1.0MB
MD5

2a2526a15732cd1f3f8859fe3f504cb9
SHA1

53f5eee1f770d79666d7421823f29ee21d8cba3e
SHA256

406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5
SHA512

029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8
SSDEEP

24576:4iUmSB/o5d1ubcvqqJGyUyTlUJS0Xtw5amFnRn2cdB:4/mU/ohubcvqq8oUJS7agd

Score

10^/10

remcos remotehost collection credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.210.150.26:8787

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NKQ1SM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1996-70-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2580-77-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3876-72-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1996-71-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3876-69-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3876-81-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2580-94-0x0000000000CC0000-0x0000000000EEF000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1996-70-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1996-71-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3876-72-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3876-69-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3876-81-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2580-94-0x0000000000CC0000-0x0000000000EEF000-memory.dmp	WebBrowserPassView

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs	Monteverdi.exe

Executes dropped EXE 5 IoCs

pid	Process
1724	Monteverdi.exe
1692	Monteverdi.exe
3876	Monteverdi.exe
1996	Monteverdi.exe
2580	Monteverdi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1728-0-0x0000000000830000-0x0000000000A5F000-memory.dmp	upx
behavioral2/memory/1724-16-0x0000000000CC0000-0x0000000000EEF000-memory.dmp	upx
behavioral2/memory/1728-17-0x0000000000830000-0x0000000000A5F000-memory.dmp	upx
behavioral2/files/0x000d0000000233bc-18.dat	upx
behavioral2/memory/1692-35-0x0000000000CC0000-0x0000000000EEF000-memory.dmp	upx
behavioral2/memory/1724-34-0x0000000000CC0000-0x0000000000EEF000-memory.dmp	upx
behavioral2/memory/1692-89-0x0000000000CC0000-0x0000000000EEF000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Monteverdi.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1728-17-0x0000000000830000-0x0000000000A5F000-memory.dmp	autoit_exe
behavioral2/memory/1724-34-0x0000000000CC0000-0x0000000000EEF000-memory.dmp	autoit_exe
behavioral2/memory/1692-89-0x0000000000CC0000-0x0000000000EEF000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 3876	1692	Monteverdi.exe	93
PID 1692 set thread context of 1996	1692	Monteverdi.exe	94
PID 1692 set thread context of 2580	1692	Monteverdi.exe	95

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SALKI098765R400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3876	Monteverdi.exe
3876	Monteverdi.exe
2580	Monteverdi.exe
2580	Monteverdi.exe
3876	Monteverdi.exe
3876	Monteverdi.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1692	Monteverdi.exe
1692	Monteverdi.exe
1692	Monteverdi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	Monteverdi.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1728	SALKI098765R400.exe
1728	SALKI098765R400.exe
1724	Monteverdi.exe
1724	Monteverdi.exe
1692	Monteverdi.exe
1692	Monteverdi.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1728	SALKI098765R400.exe
1728	SALKI098765R400.exe
1724	Monteverdi.exe
1724	Monteverdi.exe
1692	Monteverdi.exe
1692	Monteverdi.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1724	1728	SALKI098765R400.exe	87
PID 1728 wrote to memory of 1724	1728	SALKI098765R400.exe	87
PID 1728 wrote to memory of 1724	1728	SALKI098765R400.exe	87
PID 1724 wrote to memory of 1692	1724	Monteverdi.exe	88
PID 1724 wrote to memory of 1692	1724	Monteverdi.exe	88
PID 1724 wrote to memory of 1692	1724	Monteverdi.exe	88
PID 1692 wrote to memory of 3876	1692	Monteverdi.exe	93
PID 1692 wrote to memory of 3876	1692	Monteverdi.exe	93
PID 1692 wrote to memory of 3876	1692	Monteverdi.exe	93
PID 1692 wrote to memory of 3876	1692	Monteverdi.exe	93
PID 1692 wrote to memory of 1996	1692	Monteverdi.exe	94
PID 1692 wrote to memory of 1996	1692	Monteverdi.exe	94
PID 1692 wrote to memory of 1996	1692	Monteverdi.exe	94
PID 1692 wrote to memory of 1996	1692	Monteverdi.exe	94
PID 1692 wrote to memory of 2580	1692	Monteverdi.exe	95
PID 1692 wrote to memory of 2580	1692	Monteverdi.exe	95
PID 1692 wrote to memory of 2580	1692	Monteverdi.exe	95
PID 1692 wrote to memory of 2580	1692	Monteverdi.exe	95

C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe
"C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
  "C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
    "C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
      C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\elfnbfsmsphyuosotrmp"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3876
  - - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
      C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\pgkgbydggxzlwvgskczqehae"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:1996
  - - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
      C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\zaxqcqwhufrqgbcwtmushuvvssk"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
06b7fdbed7f8cbd2882bb44acb83f8b6

SHA1
8c81a3a7d7af27ea3f2c3f80a86e552e8e078089

SHA256
81e7a3fe54de69b5e14265e3ddcb639bef3747a17e532c1ddfbf77e6e7433839

SHA512
3721508291081d7873bcb8c9330fae02ecff66f1e8361c97baaa334c334162d4d76d866190a027e5dd434f8906fd35e18beda810708b562b880b3025291932fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA2B8.tmp

Filesize
397KB

MD5
a9818cdddd3427558a1b52f3a897f7d5

SHA1
8c4e0e6b5d38718775853897b5ade3dca8860bd7

SHA256
8edce98287539533d272d1b9624deff8ff5adaf11c1cc5cfe5256bf4422bb77a

SHA512
dbe1aa049950be7299549744bf035dc0731bb9626c2ee6ca02c3fccae864817affecda4189e1e9fef8be37d7486ded6da801cdeda6715f7a2694cb1c9ee3ed19

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA2C9.tmp

Filesize
10KB

MD5
5ab857851bb90f19cfc4a5bef68f6285

SHA1
da5ae7783350302148e567c21e1a25ff312f43f3

SHA256
d8d0dd78ace87908e973377fb0ce249ae7d84b653aa45fd2af1914516224564d

SHA512
ee007315b9a590a64598532d1e78088362eb9f441945e71006978879db03a6db2cbad08d1039793a27275548093bf3ae1adf8c1445a9d6ee7d7a31039ffdb31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\elfnbfsmsphyuosotrmp

Filesize
4KB

MD5
faaa2b16df1bfc1a3792faaa35786349

SHA1
359534a59d7c5139ae205c24533ba60afdfb9f3f

SHA256
3586befc3b8b4da223e2ee0dcb00965ba5c0a205c14f2acefdeec7e46efddd5a

SHA512
2fbc79cace52a58e69ab983d034bb41ebb2496f767e18e5e4b31eefc4447c935d8614f744c71302e459350a05562fadc4c2355d76638b595e7cff1bb3d1618db

Download Submit
C:\Users\Admin\AppData\Local\Temp\jinrikisha

Filesize
56KB

MD5
ab1d29274213556fd265d9e44a8e2813

SHA1
902af8adb5d52a2871dc1e956162514d829be033

SHA256
9dbb2c43e92fb67336afded940c19e37de86ca86554341c9c8c94030f84f893d

SHA512
a4fe1e9adf1cd45e9843268899035b417009e3dfbb6b11bde32c04bf202a25dfdec670ed08a83dcece1a9efed590ec950dfe3a60f6395479f289e0adac207033

Download Submit
C:\Users\Admin\AppData\Local\Temp\pensum

Filesize
482KB

MD5
cf1214864ab14d2bf906b73636da3a0e

SHA1
ad71b3268d6f91395727d02ddd007e5b75cfbcc9

SHA256
5960b9ac19d8d6c016e018d72f6376e4ec87bdf440b126393bebe526b5e10dbc

SHA512
1502d6017b1523fda0526479a4481a966707bb3f8d8eb3b890079c5fd92f58d6554da59268940c2fdad0d2daeaae863e9e46549a3a1a2dcdf2184fccd7de4ba4

Download Submit
C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe

Filesize
1.0MB

MD5
2a2526a15732cd1f3f8859fe3f504cb9

SHA1
53f5eee1f770d79666d7421823f29ee21d8cba3e

SHA256
406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5

SHA512
029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8

Download Submit
memory/1692-83-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1692-89-0x0000000000CC0000-0x0000000000EEF000-memory.dmp

Filesize
2.2MB

Download
memory/1692-35-0x0000000000CC0000-0x0000000000EEF000-memory.dmp

Filesize
2.2MB

Download
memory/1692-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-122-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-86-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1692-87-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1724-16-0x0000000000CC0000-0x0000000000EEF000-memory.dmp

Filesize
2.2MB

Download
memory/1724-34-0x0000000000CC0000-0x0000000000EEF000-memory.dmp

Filesize
2.2MB

Download
memory/1728-11-0x00000000015C0000-0x00000000015C4000-memory.dmp

Filesize
16KB

Download
memory/1728-17-0x0000000000830000-0x0000000000A5F000-memory.dmp

Filesize
2.2MB

Download
memory/1728-0-0x0000000000830000-0x0000000000A5F000-memory.dmp

Filesize
2.2MB

Download
memory/1996-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1996-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1996-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1996-71-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2580-94-0x0000000000CC0000-0x0000000000EEF000-memory.dmp

Filesize
2.2MB

Download
memory/2580-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2580-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2580-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3876-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3876-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3876-69-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3876-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3876-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download