remcos | 8b4d43e5b2ff9fe2d915daa5c884832dd0635b231274236bfa4863d0220d4eba

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
Size

968KB
MD5

fce908c3d656198dce6bafb77f0b9638
SHA1

0952a34cffd6ab444ed21889e0fa5eac6019ac5a
SHA256

8b4d43e5b2ff9fe2d915daa5c884832dd0635b231274236bfa4863d0220d4eba
SHA512

7796c6ba87d4d03d0a88e9ec1e71fe63c43fefaf2849f432413e5ab7763d087785661ba603026df0ea90db4bae770827a78f3694fb5071408016fa39acd94c7a
SSDEEP

12288:2d0NXLNiM0oqUO2rMQvQtcRyzCKBCDZvtcVRUyDWrwye9UIZq6UrN5GMAYr2ao0q:nbNiMN17rMtcoa22yDWrwye9XZq641o

Score

10^/10

remcos remotehost collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

magaji.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ORKMG9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 8 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4396-47-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3908-49-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4288-53-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3908-57-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3908-52-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4396-50-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4288-58-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4396-61-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4288-53-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/4288-58-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4396-47-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4396-50-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4396-61-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3976 set thread context of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3960 set thread context of 4396	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	98
PID 3960 set thread context of 4288	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	99
PID 3960 set thread context of 3908	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
4396	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
4396	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
3908	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
3908	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
4396	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
4396	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
Token: SeDebugPrivilege	3908	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3680	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	94
PID 3976 wrote to memory of 3680	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	94
PID 3976 wrote to memory of 3680	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	94
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3976 wrote to memory of 3960	3976	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	95
PID 3960 wrote to memory of 4396	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	98
PID 3960 wrote to memory of 4396	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	98
PID 3960 wrote to memory of 4396	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	98
PID 3960 wrote to memory of 4396	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	98
PID 3960 wrote to memory of 4288	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	99
PID 3960 wrote to memory of 4288	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	99
PID 3960 wrote to memory of 4288	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	99
PID 3960 wrote to memory of 4288	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	99
PID 3960 wrote to memory of 3908	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	100
PID 3960 wrote to memory of 3908	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	100
PID 3960 wrote to memory of 3908	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	100
PID 3960 wrote to memory of 3908	3960	SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe	100

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe"
  2⤵
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
    C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe /stext "C:\Users\Admin\AppData\Local\Temp\tximulpxkufbbdissy"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
    C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe /stext "C:\Users\Admin\AppData\Local\Temp\erofveaqgcxfljwwbjwnuh"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe
    C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exe /stext "C:\Users\Admin\AppData\Local\Temp\gttxvwksulpkoqsaturpfmrfw"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
fd2f2b26c6b3c7eb2d58b4f1236ba96a

SHA1
6d39acf8121cd7884e9e66099bb85df4b8e153b1

SHA256
b053fe060db5cef654d99ae9821b763df2bb6b7d94fba135279b883bf6e0481e

SHA512
8bb334300d29edca46420410f54a2a934e07874bbeb6422ebd27a1801f0618a196d3625a0a128619146683f8db24192e34a5cb8bb517ca3779de49b3061f871c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tximulpxkufbbdissy

Filesize
4KB

MD5
faaa2b16df1bfc1a3792faaa35786349

SHA1
359534a59d7c5139ae205c24533ba60afdfb9f3f

SHA256
3586befc3b8b4da223e2ee0dcb00965ba5c0a205c14f2acefdeec7e46efddd5a

SHA512
2fbc79cace52a58e69ab983d034bb41ebb2496f767e18e5e4b31eefc4447c935d8614f744c71302e459350a05562fadc4c2355d76638b595e7cff1bb3d1618db

Download Submit
memory/3908-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3908-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3908-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3908-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3908-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3960-63-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3960-66-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3960-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3960-67-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3976-8-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3976-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/3976-4-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/3976-10-0x0000000006260000-0x00000000062FC000-memory.dmp

Filesize
624KB

Download
memory/3976-15-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3976-2-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/3976-7-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/3976-1-0x0000000000310000-0x0000000000408000-memory.dmp

Filesize
992KB

Download
memory/3976-5-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3976-6-0x0000000004F60000-0x0000000004F78000-memory.dmp

Filesize
96KB

Download
memory/3976-9-0x0000000005FC0000-0x0000000006080000-memory.dmp

Filesize
768KB

Download
memory/3976-3-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/4288-41-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4288-53-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4288-46-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4288-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4288-51-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4396-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4396-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4396-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4396-39-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4396-42-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download