remcos | d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jv4ri.exe
Size

807KB
MD5

b17e1003bb9bbe58e090c7752447c016
SHA1

a159b486e535469d4c49b227d27608f2ad48288e
SHA256

d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700
SHA512

05077e35558e1bb636596d7a8c6b66f9554ecf8e057f61c3cf7f4af91c19f898943a5dc8b1f13914b231e09671a36631e2490e0b32799250537a375dad83af3a
SSDEEP

24576:4BXu9HGaVHUVeaBzcvMgTvk+39ABn8ApTZl:4w9VHUVebvjT19ABfp

Score

10^/10

remcos remotehost collection credential_access discovery rat stealer upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.95.169.104:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S3AD48
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 6 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/432-61-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1984-64-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3536-66-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1984-62-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/432-63-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1984-71-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/432-61-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/432-63-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1984-64-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1984-62-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1984-71-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	name.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4532-0-0x0000000000D50000-0x0000000000F11000-memory.dmp	upx
behavioral2/files/0x0002000000022b23-15.dat	upx
behavioral2/memory/2600-16-0x0000000000CE0000-0x0000000000EA1000-memory.dmp	upx
behavioral2/memory/4532-18-0x0000000000D50000-0x0000000000F11000-memory.dmp	upx
behavioral2/memory/2600-43-0x0000000000CE0000-0x0000000000EA1000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4532-18-0x0000000000D50000-0x0000000000F11000-memory.dmp	autoit_exe
behavioral2/memory/2600-43-0x0000000000CE0000-0x0000000000EA1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 2412	2600	name.exe	88
PID 2412 set thread context of 1984	2412	svchost.exe	92
PID 2412 set thread context of 432	2412	svchost.exe	93
PID 2412 set thread context of 3536	2412	svchost.exe	94
PID 2412 set thread context of 1296	2412	svchost.exe	103
PID 2412 set thread context of 3872	2412	svchost.exe	105
PID 2412 set thread context of 3544	2412	svchost.exe	106

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1684	2600	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jv4ri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1984	svchost.exe
1984	svchost.exe
3536	svchost.exe
3536	svchost.exe
1984	svchost.exe
1984	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
3544	svchost.exe
3544	svchost.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2600	name.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	svchost.exe
Token: SeDebugPrivilege	3544	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4532	jv4ri.exe
4532	jv4ri.exe
2600	name.exe
2600	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4532	jv4ri.exe
4532	jv4ri.exe
2600	name.exe
2600	name.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2600	4532	jv4ri.exe	86
PID 4532 wrote to memory of 2600	4532	jv4ri.exe	86
PID 4532 wrote to memory of 2600	4532	jv4ri.exe	86
PID 2600 wrote to memory of 2412	2600	name.exe	88
PID 2600 wrote to memory of 2412	2600	name.exe	88
PID 2600 wrote to memory of 2412	2600	name.exe	88
PID 2600 wrote to memory of 2412	2600	name.exe	88
PID 2412 wrote to memory of 1984	2412	svchost.exe	92
PID 2412 wrote to memory of 1984	2412	svchost.exe	92
PID 2412 wrote to memory of 1984	2412	svchost.exe	92
PID 2412 wrote to memory of 1984	2412	svchost.exe	92
PID 2412 wrote to memory of 432	2412	svchost.exe	93
PID 2412 wrote to memory of 432	2412	svchost.exe	93
PID 2412 wrote to memory of 432	2412	svchost.exe	93
PID 2412 wrote to memory of 432	2412	svchost.exe	93
PID 2412 wrote to memory of 3536	2412	svchost.exe	94
PID 2412 wrote to memory of 3536	2412	svchost.exe	94
PID 2412 wrote to memory of 3536	2412	svchost.exe	94
PID 2412 wrote to memory of 3536	2412	svchost.exe	94
PID 2412 wrote to memory of 1296	2412	svchost.exe	103
PID 2412 wrote to memory of 1296	2412	svchost.exe	103
PID 2412 wrote to memory of 1296	2412	svchost.exe	103
PID 2412 wrote to memory of 1296	2412	svchost.exe	103
PID 2412 wrote to memory of 3300	2412	svchost.exe	104
PID 2412 wrote to memory of 3300	2412	svchost.exe	104
PID 2412 wrote to memory of 3300	2412	svchost.exe	104
PID 2412 wrote to memory of 3872	2412	svchost.exe	105
PID 2412 wrote to memory of 3872	2412	svchost.exe	105
PID 2412 wrote to memory of 3872	2412	svchost.exe	105
PID 2412 wrote to memory of 3872	2412	svchost.exe	105
PID 2412 wrote to memory of 3544	2412	svchost.exe	106
PID 2412 wrote to memory of 3544	2412	svchost.exe	106
PID 2412 wrote to memory of 3544	2412	svchost.exe	106
PID 2412 wrote to memory of 3544	2412	svchost.exe	106

C:\Users\Admin\AppData\Local\Temp\jv4ri.exe
"C:\Users\Admin\AppData\Local\Temp\jv4ri.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\jv4ri.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\jv4ri.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ofqcjhmppnzkryf"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1984
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\qhvnbaxrdvrpumthrw"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:432
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\bbafcsikrdjuesptahtov"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3536
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\mxaxdzyksbivdcveczpkpagxinakosrmj"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1296
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\pafqe"
      4⤵
      PID:3300
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\pafqe"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:3872
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\zulaekuf"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 768
    3⤵
    - Program crash
    PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2600 -ip 2600
1⤵
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
184B

MD5
f11a9ffec94cfafc6af822d08cc5baa1

SHA1
d72371e256467ee9923446305bb16854237ccd61

SHA256
9cda8a2a0e1671be384dab6915482f47e54a201649dd65392e64eab93d572623

SHA512
fb028bfd56b8d3f7f0b8893dab700d0629cd98d500696dc1f003f512eb4fa9b1ebfcbc57839cb9fecd01c989fef6a2ff0b03f08db9dba47d71fe46c5a0c17023

Download Submit
C:\Users\Admin\AppData\Local\Temp\intemeration

Filesize
128KB

MD5
885c798668d2a8950d78910952c02fae

SHA1
f24e28f1698fac8de9cd2c683e498879120be6b2

SHA256
e3ad49dc80988fbe3981136690d8e09bfc0edd83eaf7d6cea6ecc7ba7cefb669

SHA512
4b8af43304cc5f5c844fb1f924e378460a243957acbbd4409e0f2f15518e6d5a983a2edfff9e2646816d31f26c18c15d9c9753aebcaec976f814d1f500110619

Download Submit
C:\Users\Admin\AppData\Local\Temp\intemeration

Filesize
252KB

MD5
853be9124b51e48f5d850a835321ce11

SHA1
27873a837151fb53b7656c34a565745b84e38342

SHA256
bb2a93bd61d6f95e4c9f0d4129d38633270df2128c57b97f5406655861030d0b

SHA512
192d1b16b630ba3237f19f5bad187304b035c2c5c07af9db05c7f4df763121d8b682a732d8728068dd92bd3d6bef2ed98c8c3efffd0cfc87126894108e1b23fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofqcjhmppnzkryf

Filesize
4KB

MD5
18db1829b27eaeed163c211f5d179d72

SHA1
4442332494cba1e012f8876ecac42126ba995bc6

SHA256
610c5ee3f0e63441521d26bc477c9618a4c5f86e93d31b31890680c69e3ecc3d

SHA512
123d68b2c84f7a52d15faa212c06f33b04a55585e2aeb16bb14df95b18c0bcf31933e5bf0c736c90bc054b9527fccb046540d3302a0f149ebeed7c6bcca0b986

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
807KB

MD5
b17e1003bb9bbe58e090c7752447c016

SHA1
a159b486e535469d4c49b227d27608f2ad48288e

SHA256
d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700

SHA512
05077e35558e1bb636596d7a8c6b66f9554ecf8e057f61c3cf7f4af91c19f898943a5dc8b1f13914b231e09671a36631e2490e0b32799250537a375dad83af3a

Download Submit
memory/432-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/432-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/432-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/432-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1984-71-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1984-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1984-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1984-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1984-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2412-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-73-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2412-76-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2412-77-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2412-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2412-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2600-16-0x0000000000CE0000-0x0000000000EA1000-memory.dmp

Filesize
1.8MB

Download
memory/2600-43-0x0000000000CE0000-0x0000000000EA1000-memory.dmp

Filesize
1.8MB

Download
memory/3536-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3536-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3536-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4532-12-0x0000000004200000-0x0000000004204000-memory.dmp

Filesize
16KB

Download
memory/4532-18-0x0000000000D50000-0x0000000000F11000-memory.dmp

Filesize
1.8MB

Download
memory/4532-0-0x0000000000D50000-0x0000000000F11000-memory.dmp

Filesize
1.8MB

Download