remcos | d26670d5f425962b546d10ecd4d148f5884a3f392afe1c5fb4426466d4454c34

Analysis

max time kernel
148s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 10:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB#81311002907.exe
Size

931KB
MD5

c8b97aad582adb6ccddc6f3e74bda215
SHA1

bbf2e45bd5af0695f5f82fed5728a480a7fd4c04
SHA256

d26670d5f425962b546d10ecd4d148f5884a3f392afe1c5fb4426466d4454c34
SHA512

7ede8146da39ea716cd6c64f3a60ca324566c3000cb5c1275f5f1563cca726ec8b97420c7e4620f4fe998f8542896bb99294cef83a7e8bfae2e1e46fb4bbc100
SSDEEP

24576:9elw4o5E6Gkf1CGkuH2sz6rtlHa08qsCJAUke0O:9elw4o5E+C1ttl605X3ko

Score

10^/10

remcos sept. 04c collection credential_access discovery execution rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Sept. 04C

154.216.20.211:6902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-YGC9WY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/708-61-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2272-57-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2832-56-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2272-57-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2832-56-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe
1744	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AWB#81311002907.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 2820	2424	AWB#81311002907.exe	37
PID 2820 set thread context of 2832	2820	AWB#81311002907.exe	38
PID 2820 set thread context of 2272	2820	AWB#81311002907.exe	39
PID 2820 set thread context of 708	2820	AWB#81311002907.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWB#81311002907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWB#81311002907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWB#81311002907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWB#81311002907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWB#81311002907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2424	AWB#81311002907.exe
2424	AWB#81311002907.exe
1744	powershell.exe
2116	powershell.exe
2832	AWB#81311002907.exe
2832	AWB#81311002907.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2820	AWB#81311002907.exe
2820	AWB#81311002907.exe
2820	AWB#81311002907.exe
2820	AWB#81311002907.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	AWB#81311002907.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	708	AWB#81311002907.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	AWB#81311002907.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2116	2424	AWB#81311002907.exe	30
PID 2424 wrote to memory of 2116	2424	AWB#81311002907.exe	30
PID 2424 wrote to memory of 2116	2424	AWB#81311002907.exe	30
PID 2424 wrote to memory of 2116	2424	AWB#81311002907.exe	30
PID 2424 wrote to memory of 1744	2424	AWB#81311002907.exe	32
PID 2424 wrote to memory of 1744	2424	AWB#81311002907.exe	32
PID 2424 wrote to memory of 1744	2424	AWB#81311002907.exe	32
PID 2424 wrote to memory of 1744	2424	AWB#81311002907.exe	32
PID 2424 wrote to memory of 2548	2424	AWB#81311002907.exe	33
PID 2424 wrote to memory of 2548	2424	AWB#81311002907.exe	33
PID 2424 wrote to memory of 2548	2424	AWB#81311002907.exe	33
PID 2424 wrote to memory of 2548	2424	AWB#81311002907.exe	33
PID 2424 wrote to memory of 2880	2424	AWB#81311002907.exe	36
PID 2424 wrote to memory of 2880	2424	AWB#81311002907.exe	36
PID 2424 wrote to memory of 2880	2424	AWB#81311002907.exe	36
PID 2424 wrote to memory of 2880	2424	AWB#81311002907.exe	36
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2424 wrote to memory of 2820	2424	AWB#81311002907.exe	37
PID 2820 wrote to memory of 2832	2820	AWB#81311002907.exe	38
PID 2820 wrote to memory of 2832	2820	AWB#81311002907.exe	38
PID 2820 wrote to memory of 2832	2820	AWB#81311002907.exe	38
PID 2820 wrote to memory of 2832	2820	AWB#81311002907.exe	38
PID 2820 wrote to memory of 2832	2820	AWB#81311002907.exe	38
PID 2820 wrote to memory of 2272	2820	AWB#81311002907.exe	39
PID 2820 wrote to memory of 2272	2820	AWB#81311002907.exe	39
PID 2820 wrote to memory of 2272	2820	AWB#81311002907.exe	39
PID 2820 wrote to memory of 2272	2820	AWB#81311002907.exe	39
PID 2820 wrote to memory of 2272	2820	AWB#81311002907.exe	39
PID 2820 wrote to memory of 1724	2820	AWB#81311002907.exe	40
PID 2820 wrote to memory of 1724	2820	AWB#81311002907.exe	40
PID 2820 wrote to memory of 1724	2820	AWB#81311002907.exe	40
PID 2820 wrote to memory of 1724	2820	AWB#81311002907.exe	40
PID 2820 wrote to memory of 708	2820	AWB#81311002907.exe	41
PID 2820 wrote to memory of 708	2820	AWB#81311002907.exe	41
PID 2820 wrote to memory of 708	2820	AWB#81311002907.exe	41
PID 2820 wrote to memory of 708	2820	AWB#81311002907.exe	41
PID 2820 wrote to memory of 708	2820	AWB#81311002907.exe	41

C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe
"C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iVWcGN.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iVWcGN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72B0.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe
  "C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe"
  2⤵
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe
  "C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe
    C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe /stext "C:\Users\Admin\AppData\Local\Temp\ukatrirztz"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe
    C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe /stext "C:\Users\Admin\AppData\Local\Temp\eegmsbcahhplv"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe
    C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe /stext "C:\Users\Admin\AppData\Local\Temp\pgtestnuvphpgqei"
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe
    C:\Users\Admin\AppData\Local\Temp\AWB#81311002907.exe /stext "C:\Users\Admin\AppData\Local\Temp\pgtestnuvphpgqei"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:708

Network

DNS

geoplugin.net

AWB#81311002907.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

AWB#81311002907.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Wed, 04 Sep 2024 10:51:41 GMT
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *

154.216.20.211:6902

tls

AWB#81311002907.exe

3.2kB
1.6kB
12
16
154.216.20.211:6902

tls

AWB#81311002907.exe

31.3kB
512.5kB
229
382
178.237.33.50:80

http://geoplugin.net/json.gp

http

AWB#81311002907.exe

347 B
2.5kB
6
4

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

geoplugin.net

dns

AWB#81311002907.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
57a0a227e46ce6f304c72b9b4705f9ff

SHA1
46871bd9d7f02500ac3d32ad4390c138357fdb98

SHA256
b5c1e296787714aa33619dbd41b56352dedeb37e67e50dde82aae156979ef454

SHA512
706b1782b4f504b7bdda669d2da4c8b8788e1885a4479f833ca7588a0fdfca861192d54fc12cbf213f2dce038baf5fc53820050bc9ff914c215444fa535d6753

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp72B0.tmp

Filesize
1KB

MD5
6097d4191d7dbcafd4f9976e073fda7a

SHA1
8d7d5cd81e5c2104e4d55767a1f19eb631ac56b6

SHA256
351366e13e0e73eba82e1323b65be5d687513cddd4d2229fcb433dd0944161c5

SHA512
c60ef825edbebdfb27ce2c5054c4fd40445f423311c224c360c8256a99a3348826504fec938d366969ac28c0461d410a75c860e85461381af4c897931742c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukatrirztz

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
84638a0e7ca03a95f168c6475a30cca8

SHA1
f35a1c8dc66cefdc02404596d91e571ed6c81312

SHA256
aba082c2a5d78244780eea8c2dc8c50522df2ee1104994393d7e44e456f8aa72

SHA512
0ce716aefa8d65ca0fdb715c4d32e4529fa2f4227e53a89c6b9a25cd01b4dc4c21d0dcb0f2b963b80e53565658e40b9bc12d2a91d6feb1803fc465d78fc4f976

Download Submit
memory/708-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/708-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/708-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-53-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2272-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2272-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2424-0-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

Filesize
4KB

Download
memory/2424-43-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-6-0x0000000005080000-0x0000000005140000-memory.dmp

Filesize
768KB

Download
memory/2424-5-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-4-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

Filesize
4KB

Download
memory/2424-3-0x0000000000710000-0x0000000000728000-memory.dmp

Filesize
96KB

Download
memory/2424-2-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-1-0x0000000001320000-0x000000000140C000-memory.dmp

Filesize
944KB

Download
memory/2820-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2820-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-68-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2820-72-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2820-71-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2820-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2820-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2832-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2832-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.