remcos | 406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SALKI098765R400.exe
Size

1.0MB
MD5

2a2526a15732cd1f3f8859fe3f504cb9
SHA1

53f5eee1f770d79666d7421823f29ee21d8cba3e
SHA256

406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5
SHA512

029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8
SSDEEP

24576:4iUmSB/o5d1ubcvqqJGyUyTlUJS0Xtw5amFnRn2cdB:4/mU/ohubcvqq8oUJS7agd

Score

10^/10

remcos remotehost collection credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.210.150.26:8787

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NKQ1SM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 9 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1232-53-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1888-63-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2332-66-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2332-68-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1888-67-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1888-65-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2332-64-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1232-52-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1232-70-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2332-66-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2332-68-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2332-64-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1232-53-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1232-52-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1232-70-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs	Monteverdi.exe

Executes dropped EXE 5 IoCs

pid	Process
3124	Monteverdi.exe
4296	Monteverdi.exe
1232	Monteverdi.exe
2332	Monteverdi.exe
1888	Monteverdi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000590000-0x00000000007BF000-memory.dmp	upx
behavioral2/files/0x0002000000022a83-14.dat	upx
behavioral2/memory/3124-15-0x0000000000C90000-0x0000000000EBF000-memory.dmp	upx
behavioral2/memory/4820-18-0x0000000000590000-0x00000000007BF000-memory.dmp	upx
behavioral2/memory/3124-78-0x0000000000C90000-0x0000000000EBF000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Monteverdi.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4820-18-0x0000000000590000-0x00000000007BF000-memory.dmp	autoit_exe
behavioral2/memory/3124-78-0x0000000000C90000-0x0000000000EBF000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3124 set thread context of 1232	3124	Monteverdi.exe	95
PID 3124 set thread context of 2332	3124	Monteverdi.exe	96
PID 3124 set thread context of 1888	3124	Monteverdi.exe	97

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SALKI098765R400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monteverdi.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1232	Monteverdi.exe
1232	Monteverdi.exe
1888	Monteverdi.exe
1888	Monteverdi.exe
1232	Monteverdi.exe
1232	Monteverdi.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3124	Monteverdi.exe
3124	Monteverdi.exe
3124	Monteverdi.exe
3124	Monteverdi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	Monteverdi.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4820	SALKI098765R400.exe
4820	SALKI098765R400.exe
3124	Monteverdi.exe
3124	Monteverdi.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4820	SALKI098765R400.exe
4820	SALKI098765R400.exe
3124	Monteverdi.exe
3124	Monteverdi.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3124	4820	SALKI098765R400.exe	89
PID 4820 wrote to memory of 3124	4820	SALKI098765R400.exe	89
PID 4820 wrote to memory of 3124	4820	SALKI098765R400.exe	89
PID 3124 wrote to memory of 4296	3124	Monteverdi.exe	94
PID 3124 wrote to memory of 4296	3124	Monteverdi.exe	94
PID 3124 wrote to memory of 4296	3124	Monteverdi.exe	94
PID 3124 wrote to memory of 1232	3124	Monteverdi.exe	95
PID 3124 wrote to memory of 1232	3124	Monteverdi.exe	95
PID 3124 wrote to memory of 1232	3124	Monteverdi.exe	95
PID 3124 wrote to memory of 1232	3124	Monteverdi.exe	95
PID 3124 wrote to memory of 2332	3124	Monteverdi.exe	96
PID 3124 wrote to memory of 2332	3124	Monteverdi.exe	96
PID 3124 wrote to memory of 2332	3124	Monteverdi.exe	96
PID 3124 wrote to memory of 2332	3124	Monteverdi.exe	96
PID 3124 wrote to memory of 1888	3124	Monteverdi.exe	97
PID 3124 wrote to memory of 1888	3124	Monteverdi.exe	97
PID 3124 wrote to memory of 1888	3124	Monteverdi.exe	97
PID 3124 wrote to memory of 1888	3124	Monteverdi.exe	97

C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe
"C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
  "C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
    C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\hydxzggfbvnfdfsqigxwdtzqf"
    3⤵
    - Executes dropped EXE
    PID:4296
- - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
    C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\hydxzggfbvnfdfsqigxwdtzqf"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
    C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\ssiqazrgpdfjflouzqkxgythoqgf"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe
    C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\cmvabjbadlyoprcyibwrrkoywepoggqv"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a026c0f14cd3dd0df86b353f48de29a3

SHA1
a23f98fafaa69bad30d12e27a5cade9985265510

SHA256
af05cde5d68f47e38122d0299dd27f0481387a6a2b08a487f3e68dea076c54f9

SHA512
82fdae698f3225d60acfde9174fe97a2a08cd0e150975a07ab9a61dd7a154c4fed6775ba28819328479b7051693f7a2027f774d83e2c0f9d3a603860bf92dd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\hydxzggfbvnfdfsqigxwdtzqf

Filesize
4KB

MD5
2538ec9e8425a905937573069b77d4c2

SHA1
ad0c2b7aff4382e23444d26adac96d9697b849f3

SHA256
29338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e

SHA512
a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jinrikisha

Filesize
56KB

MD5
ab1d29274213556fd265d9e44a8e2813

SHA1
902af8adb5d52a2871dc1e956162514d829be033

SHA256
9dbb2c43e92fb67336afded940c19e37de86ca86554341c9c8c94030f84f893d

SHA512
a4fe1e9adf1cd45e9843268899035b417009e3dfbb6b11bde32c04bf202a25dfdec670ed08a83dcece1a9efed590ec950dfe3a60f6395479f289e0adac207033

Download Submit
C:\Users\Admin\AppData\Local\Temp\pensum

Filesize
482KB

MD5
cf1214864ab14d2bf906b73636da3a0e

SHA1
ad71b3268d6f91395727d02ddd007e5b75cfbcc9

SHA256
5960b9ac19d8d6c016e018d72f6376e4ec87bdf440b126393bebe526b5e10dbc

SHA512
1502d6017b1523fda0526479a4481a966707bb3f8d8eb3b890079c5fd92f58d6554da59268940c2fdad0d2daeaae863e9e46549a3a1a2dcdf2184fccd7de4ba4

Download Submit
C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe

Filesize
1.0MB

MD5
2a2526a15732cd1f3f8859fe3f504cb9

SHA1
53f5eee1f770d79666d7421823f29ee21d8cba3e

SHA256
406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5

SHA512
029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8

Download Submit
memory/1232-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1232-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1232-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1232-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1232-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1888-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1888-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1888-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1888-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1888-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2332-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2332-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2332-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2332-49-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2332-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3124-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-75-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3124-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-131-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-15-0x0000000000C90000-0x0000000000EBF000-memory.dmp

Filesize
2.2MB

Download
memory/3124-72-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3124-76-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3124-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-78-0x0000000000C90000-0x0000000000EBF000-memory.dmp

Filesize
2.2MB

Download
memory/3124-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3124-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4820-11-0x0000000002A30000-0x0000000002A34000-memory.dmp

Filesize
16KB

Download
memory/4820-18-0x0000000000590000-0x00000000007BF000-memory.dmp

Filesize
2.2MB

Download
memory/4820-0-0x0000000000590000-0x00000000007BF000-memory.dmp

Filesize
2.2MB

Download