remcos | d8ec15128a2035c5f9b8048a556b27f13e980ec4729f8b0132493fc470661d84

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2024, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SALKI098765R400.exe
Size

1.0MB
MD5

2a2526a15732cd1f3f8859fe3f504cb9
SHA1

53f5eee1f770d79666d7421823f29ee21d8cba3e
SHA256

406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5
SHA512

029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8
SSDEEP

24576:4iUmSB/o5d1ubcvqqJGyUyTlUJS0Xtw5amFnRn2cdB:4/mU/ohubcvqq8oUJS7agd

Score

10^/10

remcos remotehost collection credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.210.150.26:8787

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NKQ1SM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 6 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/756-64-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3172-63-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4032-59-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3172-55-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/756-54-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3172-66-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/756-64-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/756-54-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3172-63-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3172-55-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3172-66-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs	Monteverdi.exe

Executes dropped EXE 4 IoCs

pid	Process
3208	Monteverdi.exe
3172	Monteverdi.exe
756	Monteverdi.exe
4032	Monteverdi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1800-0-0x0000000000E10000-0x000000000103F000-memory.dmp	upx
behavioral2/files/0x000c000000023387-14.dat	upx
behavioral2/memory/3208-17-0x0000000000540000-0x000000000076F000-memory.dmp	upx
behavioral2/memory/1800-16-0x0000000000E10000-0x000000000103F000-memory.dmp	upx
behavioral2/memory/3172-48-0x0000000000540000-0x000000000076F000-memory.dmp	upx
behavioral2/memory/3208-75-0x0000000000540000-0x000000000076F000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Monteverdi.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3208-17-0x0000000000540000-0x000000000076F000-memory.dmp	autoit_exe
behavioral2/memory/1800-16-0x0000000000E10000-0x000000000103F000-memory.dmp	autoit_exe
behavioral2/memory/3208-75-0x0000000000540000-0x000000000076F000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3208 set thread context of 3172	3208	Monteverdi.exe	91
PID 3208 set thread context of 756	3208	Monteverdi.exe	92
PID 3208 set thread context of 4032	3208	Monteverdi.exe	93

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SALKI098765R400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3172	Monteverdi.exe
3172	Monteverdi.exe
4032	Monteverdi.exe
4032	Monteverdi.exe
3172	Monteverdi.exe
3172	Monteverdi.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3208	Monteverdi.exe
3208	Monteverdi.exe
3208	Monteverdi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	Monteverdi.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1800	SALKI098765R400.exe
1800	SALKI098765R400.exe
3208	Monteverdi.exe
3208	Monteverdi.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1800	SALKI098765R400.exe
1800	SALKI098765R400.exe
3208	Monteverdi.exe
3208	Monteverdi.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3208	1800	SALKI098765R400.exe	87
PID 1800 wrote to memory of 3208	1800	SALKI098765R400.exe	87
PID 1800 wrote to memory of 3208	1800	SALKI098765R400.exe	87
PID 3208 wrote to memory of 3172	3208	Monteverdi.exe	91
PID 3208 wrote to memory of 3172	3208	Monteverdi.exe	91
PID 3208 wrote to memory of 3172	3208	Monteverdi.exe	91
PID 3208 wrote to memory of 3172	3208	Monteverdi.exe	91
PID 3208 wrote to memory of 756	3208	Monteverdi.exe	92
PID 3208 wrote to memory of 756	3208	Monteverdi.exe	92
PID 3208 wrote to memory of 756	3208	Monteverdi.exe	92
PID 3208 wrote to memory of 756	3208	Monteverdi.exe	92
PID 3208 wrote to memory of 4032	3208	Monteverdi.exe	93
PID 3208 wrote to memory of 4032	3208	Monteverdi.exe	93
PID 3208 wrote to memory of 4032	3208	Monteverdi.exe	93
PID 3208 wrote to memory of 4032	3208	Monteverdi.exe	93

C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe
"C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
  "C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
    C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\lshcrihskcfgwhvwawytmuikyhserl"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3172
- - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
    C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\vmmvsbsuglxlhvrijgkupycbhncnkwiyf"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
    C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\yozotl"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
573048f89580e885bb2fa08d2df64687

SHA1
747ab6756e14554261920af4dab81f08cd66f53d

SHA256
ddda53b684ad60ee466d6c3fdee805cfc9cd45ea8850102f044b1b004293cbf6

SHA512
e7e62100b4eb5170aa4720a730263e973f663e9277a2b56632b952493f78ba2e15148fc7acda76a0129acab05563bb2e5480fe4b20ecfe827852309fd41fb613

Download Submit
C:\Users\Admin\AppData\Local\Temp\jinrikisha

Filesize
56KB

MD5
ab1d29274213556fd265d9e44a8e2813

SHA1
902af8adb5d52a2871dc1e956162514d829be033

SHA256
9dbb2c43e92fb67336afded940c19e37de86ca86554341c9c8c94030f84f893d

SHA512
a4fe1e9adf1cd45e9843268899035b417009e3dfbb6b11bde32c04bf202a25dfdec670ed08a83dcece1a9efed590ec950dfe3a60f6395479f289e0adac207033

Download Submit
C:\Users\Admin\AppData\Local\Temp\lshcrihskcfgwhvwawytmuikyhserl

Filesize
4KB

MD5
16f4f7c4051f4bbdaa93a1ca80690065

SHA1
750cacbdd2d089a88119374560d6ac004954e90e

SHA256
6c4559e4413cccaeab73cad48ffd804506c95566e4d6a3f5ae64017a33ea6ec2

SHA512
cb0f68d393ad03a5c802a2978ff7b12e20911bac5e27200c2df16d5d3f63dfc2387c0cd1a9075d8e4ba9ae804a6b61225575e2f42b3ef024e863d5b172417964

Download Submit
C:\Users\Admin\AppData\Local\Temp\pensum

Filesize
482KB

MD5
cf1214864ab14d2bf906b73636da3a0e

SHA1
ad71b3268d6f91395727d02ddd007e5b75cfbcc9

SHA256
5960b9ac19d8d6c016e018d72f6376e4ec87bdf440b126393bebe526b5e10dbc

SHA512
1502d6017b1523fda0526479a4481a966707bb3f8d8eb3b890079c5fd92f58d6554da59268940c2fdad0d2daeaae863e9e46549a3a1a2dcdf2184fccd7de4ba4

Download Submit
C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe

Filesize
1.0MB

MD5
2a2526a15732cd1f3f8859fe3f504cb9

SHA1
53f5eee1f770d79666d7421823f29ee21d8cba3e

SHA256
406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5

SHA512
029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8

Download Submit
memory/756-52-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/756-49-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/756-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/756-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1800-0-0x0000000000E10000-0x000000000103F000-memory.dmp

Filesize
2.2MB

Download
memory/1800-16-0x0000000000E10000-0x000000000103F000-memory.dmp

Filesize
2.2MB

Download
memory/1800-11-0x0000000001130000-0x0000000001134000-memory.dmp

Filesize
16KB

Download
memory/3172-48-0x0000000000540000-0x000000000076F000-memory.dmp

Filesize
2.2MB

Download
memory/3172-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3172-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3172-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3172-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3172-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3208-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-71-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3208-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-68-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3208-72-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3208-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-75-0x0000000000540000-0x000000000076F000-memory.dmp

Filesize
2.2MB

Download
memory/3208-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-17-0x0000000000540000-0x000000000076F000-memory.dmp

Filesize
2.2MB

Download
memory/3208-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3208-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4032-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4032-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4032-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download