remcos | 68ab656fe4de37c4f94a9b5cd800390ad80caf8782f135422aa7c9392ad9f57c

Resubmissions

03-09-2024 15:03

240903-sfh4gszekl 10

03-09-2024 14:45

240903-r4rj4azcmm 10

Analysis

max time kernel
147s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rgh99876k7e.exe
Size

1.5MB
MD5

bd6420aaf066a5b4533598417866bc67
SHA1

cf56376da61f4f34034fa4cc525e708052a5ecd3
SHA256

b8022e8002a8e01a6364fdcc6d53275b6edf3d196e36f0b4c9645de2570cfd48
SHA512

d9b394fc25949d552b64061810cd4452d24ee473c5755bada25b1db5ad35652a57b545c53c5e1dea88feac376b86e838a6b87886e9ad50e1f582eb2b985cda78
SSDEEP

24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8auS2rwF3q65FE8wvsO5BaH3:zTvC/MTQYxsWR7auSY65G8wDKH

Score

10^/10

remcos remotehost collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.210.150.26:8787

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NKQ1SM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1504-50-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/952-49-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1504-52-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1884-60-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1504-56-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/952-51-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/952-62-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1504-50-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1504-52-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1504-56-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/952-49-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/952-51-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/952-62-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs	antholite.exe

Executes dropped EXE 4 IoCs

pid	Process
2100	antholite.exe
952	antholite.exe
1504	antholite.exe
1884	antholite.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	antholite.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000300000002327a-13.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 952	2100	antholite.exe	92
PID 2100 set thread context of 1504	2100	antholite.exe	93
PID 2100 set thread context of 1884	2100	antholite.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rgh99876k7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
952	antholite.exe
952	antholite.exe
1884	antholite.exe
1884	antholite.exe
952	antholite.exe
952	antholite.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2100	antholite.exe
2100	antholite.exe
2100	antholite.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	antholite.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2852	Rgh99876k7e.exe
2852	Rgh99876k7e.exe
2100	antholite.exe
2100	antholite.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2852	Rgh99876k7e.exe
2852	Rgh99876k7e.exe
2100	antholite.exe
2100	antholite.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2100	2852	Rgh99876k7e.exe	86
PID 2852 wrote to memory of 2100	2852	Rgh99876k7e.exe	86
PID 2852 wrote to memory of 2100	2852	Rgh99876k7e.exe	86
PID 2100 wrote to memory of 952	2100	antholite.exe	92
PID 2100 wrote to memory of 952	2100	antholite.exe	92
PID 2100 wrote to memory of 952	2100	antholite.exe	92
PID 2100 wrote to memory of 952	2100	antholite.exe	92
PID 2100 wrote to memory of 1504	2100	antholite.exe	93
PID 2100 wrote to memory of 1504	2100	antholite.exe	93
PID 2100 wrote to memory of 1504	2100	antholite.exe	93
PID 2100 wrote to memory of 1504	2100	antholite.exe	93
PID 2100 wrote to memory of 1884	2100	antholite.exe	94
PID 2100 wrote to memory of 1884	2100	antholite.exe	94
PID 2100 wrote to memory of 1884	2100	antholite.exe	94
PID 2100 wrote to memory of 1884	2100	antholite.exe	94

C:\Users\Admin\AppData\Local\Temp\Rgh99876k7e.exe
"C:\Users\Admin\AppData\Local\Temp\Rgh99876k7e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Cocles\antholite.exe
  "C:\Users\Admin\AppData\Local\Temp\Rgh99876k7e.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Cocles\antholite.exe
    C:\Users\Admin\AppData\Local\Cocles\antholite.exe /stext "C:\Users\Admin\AppData\Local\Temp\rkeb"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:952
- - C:\Users\Admin\AppData\Local\Cocles\antholite.exe
    C:\Users\Admin\AppData\Local\Cocles\antholite.exe /stext "C:\Users\Admin\AppData\Local\Temp\besuaqu"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1504
- - C:\Users\Admin\AppData\Local\Cocles\antholite.exe
    C:\Users\Admin\AppData\Local\Cocles\antholite.exe /stext "C:\Users\Admin\AppData\Local\Temp\egxmbjfmsy"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
b3141575b8f785b38967a75bb1d29ad7

SHA1
bdff8b9ffe17b144bd28ecce2f2f87bc2f069804

SHA256
ae972fe473e19df8b645abf425221b46bc59f4544e13229f559f6ec6de4140dc

SHA512
1c3c03dac4b84454446ef8eab4f67236a85ce7a5a91a5dd465f8c2bbe1de7c9c72c835882d69a6d227478fae392ccf016c1a7bb71f8a240079e46caf1a87d0a9

Download Submit
C:\Users\Admin\AppData\Local\Cocles\antholite.exe

Filesize
1.5MB

MD5
bd6420aaf066a5b4533598417866bc67

SHA1
cf56376da61f4f34034fa4cc525e708052a5ecd3

SHA256
b8022e8002a8e01a6364fdcc6d53275b6edf3d196e36f0b4c9645de2570cfd48

SHA512
d9b394fc25949d552b64061810cd4452d24ee473c5755bada25b1db5ad35652a57b545c53c5e1dea88feac376b86e838a6b87886e9ad50e1f582eb2b985cda78

Download Submit
C:\Users\Admin\AppData\Local\Temp\konked

Filesize
482KB

MD5
48005136bc147209ac8f408339c017e9

SHA1
2758101d2f96164a3e0cb62785223888946f53fa

SHA256
76e8c3c933c18bae6bb3cfbfa2aceb9db31c7862a56775de9ced8f1ec3a72f7f

SHA512
e0ac69de23c7354f61d634ba4064d63f54f75306dd06a15884d8c2da75908643db405fa430a84dbeb1af5e66c153c4d26e1006916f6879ba5bd9d8f9b459eaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkeb

Filesize
4KB

MD5
faaa2b16df1bfc1a3792faaa35786349

SHA1
359534a59d7c5139ae205c24533ba60afdfb9f3f

SHA256
3586befc3b8b4da223e2ee0dcb00965ba5c0a205c14f2acefdeec7e46efddd5a

SHA512
2fbc79cace52a58e69ab983d034bb41ebb2496f767e18e5e4b31eefc4447c935d8614f744c71302e459350a05562fadc4c2355d76638b595e7cff1bb3d1618db

Download Submit
C:\Users\Admin\AppData\Local\Temp\seskin

Filesize
140KB

MD5
fc0250799241323e9f3a53f51f7df0f1

SHA1
f0d60dbf33047494014302b4ee8b438cc0380943

SHA256
0469ec50b7420320b46fb0a05c5d875de1ca110b2e18fbcb37860e2a6cd31982

SHA512
ccacaced5eb79a9920299599b34984788c2288bf07ce1a423668c5b4e56f4348cf7a6a29231a658fce07a40719897ee1dde428d4539a8007f6028b243f718661

Download Submit
memory/952-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/952-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/952-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/952-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/952-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1504-52-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1504-44-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1504-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1504-50-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1504-48-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1884-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1884-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1884-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2100-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-67-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2100-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-64-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2100-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-68-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2100-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2100-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2852-10-0x0000000003CB0000-0x0000000003CB4000-memory.dmp

Filesize
16KB

Download