remcos | 6e14949ce6cf75b2752054554ad439b0a83a7021a232b29dd5fdcd9c47eaa3f2

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SWIFT050924.vbs
Size

691KB
MD5

2017ec3e440a42016679cfca89021367
SHA1

b28018bd754b0fa5170c9071fb4a615741b4dd19
SHA256

cf932f84c26f6d3665b03afbe44e50bf77342af73b4a1f101d48a5750fb3bf23
SHA512

3e29904829f4ea7ae5fcde95ccc3b4e9b440f60a1de183fe6ba7cd822d04e0976ff6e6a1bdb92a5da935e36a4485cbc982eb0d7d02c337c476c45724450efb02
SSDEEP

12288:xLtzjh8P+o6/vW/kiZI5sjLXjJkMz4Ss47DcShFXNGh/WmDj+VGP:dt3h9/uJZSsjLlkMdcSzdIuGP

Score

10^/10

remcos remotehost collection credential_access discovery rat stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

camzeroconnect.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GT4655
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 5 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2928-40-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2412-42-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2412-41-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/760-39-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2412-47-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/760-39-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2412-42-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2412-41-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2412-47-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3200	x.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	aspnet_compiler.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3200 set thread context of 924	3200	x.exe	86
PID 924 set thread context of 2412	924	aspnet_compiler.exe	95
PID 924 set thread context of 760	924	aspnet_compiler.exe	97
PID 924 set thread context of 2928	924	aspnet_compiler.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3200	x.exe
3200	x.exe
2412	aspnet_compiler.exe
2412	aspnet_compiler.exe
2928	aspnet_compiler.exe
2928	aspnet_compiler.exe
2412	aspnet_compiler.exe
2412	aspnet_compiler.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
924	aspnet_compiler.exe
924	aspnet_compiler.exe
924	aspnet_compiler.exe
924	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	x.exe
Token: SeDebugPrivilege	2928	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3200	1088	WScript.exe	83
PID 1088 wrote to memory of 3200	1088	WScript.exe	83
PID 3200 wrote to memory of 4904	3200	x.exe	85
PID 3200 wrote to memory of 4904	3200	x.exe	85
PID 3200 wrote to memory of 4904	3200	x.exe	85
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 3200 wrote to memory of 924	3200	x.exe	86
PID 924 wrote to memory of 2412	924	aspnet_compiler.exe	95
PID 924 wrote to memory of 2412	924	aspnet_compiler.exe	95
PID 924 wrote to memory of 2412	924	aspnet_compiler.exe	95
PID 924 wrote to memory of 2412	924	aspnet_compiler.exe	95
PID 924 wrote to memory of 3328	924	aspnet_compiler.exe	96
PID 924 wrote to memory of 3328	924	aspnet_compiler.exe	96
PID 924 wrote to memory of 3328	924	aspnet_compiler.exe	96
PID 924 wrote to memory of 760	924	aspnet_compiler.exe	97
PID 924 wrote to memory of 760	924	aspnet_compiler.exe	97
PID 924 wrote to memory of 760	924	aspnet_compiler.exe	97
PID 924 wrote to memory of 760	924	aspnet_compiler.exe	97
PID 924 wrote to memory of 2928	924	aspnet_compiler.exe	98
PID 924 wrote to memory of 2928	924	aspnet_compiler.exe	98
PID 924 wrote to memory of 2928	924	aspnet_compiler.exe	98
PID 924 wrote to memory of 2928	924	aspnet_compiler.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT050924.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\x.exe
  "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\ndszsin"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\pxxssbyevx"
      4⤵
      PID:3328
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\pxxssbyevx"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\azdkttjgjfbcg"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndszsin

Filesize
4KB

MD5
8b8277c8f03c24d1f290dbe476e961d2

SHA1
2e13baf3a4b708277d550dc3dd1e0f99b131f78e

SHA256
9af6881f6dbffba028a7a977f4c0a43c764f840332986993ad66de7b816c2f9e

SHA512
7367a0236cd0d6cd731caf1ba1f4ea8f851ea1018a9c6b49db6e9d13b2aaba92767774da9169481918e4287021ff5c3a58c3143eaa5e7fe9fa88383208615948

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
474KB

MD5
aeb8bba5e93fa1090d72a4e603c6fd72

SHA1
19bac3f94a320ab7ed10d2ab8dc5a7609d55800f

SHA256
d1019a57fa406376bf03b65c28aa50cc58377c44a6883bbeb9d2b59e7add2d98

SHA512
8a330c4d9efe0af40b2e98d3d571a69598b5bfd64ddb7723ff3a2db668a9550ceb1a3942bc5110e00543509d46ba88d8fb9623c2660626ffb298ead4dd802b9b

Download Submit
memory/760-37-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/760-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/760-39-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/924-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/924-52-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/924-53-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/924-49-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2412-42-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2412-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2412-32-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2412-36-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2412-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2928-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2928-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2928-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3200-14-0x00007FFA93510000-0x00007FFA93FD1000-memory.dmp

Filesize
10.8MB

Download
memory/3200-16-0x000001E5D5770000-0x000001E5D5778000-memory.dmp

Filesize
32KB

Download
memory/3200-12-0x000001E5D5350000-0x000001E5D53CC000-memory.dmp

Filesize
496KB

Download
memory/3200-15-0x000001E5D5760000-0x000001E5D576C000-memory.dmp

Filesize
48KB

Download
memory/3200-13-0x000001E5D5830000-0x000001E5D58AA000-memory.dmp

Filesize
488KB

Download
memory/3200-11-0x00007FFA93513000-0x00007FFA93515000-memory.dmp

Filesize
8KB

Download
memory/3200-23-0x00007FFA93510000-0x00007FFA93FD1000-memory.dmp

Filesize
10.8MB

Download