remcos | da07ea710e848805416f93369b7b6e90d0c1b66cbb80ead60c7d46d6d8efd3be

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/09/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe
Size

778KB
MD5

6ec62d2feca20ea0d9c8730aa3f660e3
SHA1

5386d98ec0d08febf713058df774e9e6044c9080
SHA256

e6b58687faf8165eb9f34872e6dd9df1a97e527a1c9765b698be615e72f368e0
SHA512

6017f06cc445a45cf7f57e131e682fb2f5c56c35bbb1884e3759a44cadb559ea6ca51851808fb2012e3de1f28bdfbb52a35301706468f67ef0f85494fe474aeb
SSDEEP

24576:LwuySQX1XbJzkbtccJ7tQB/9ksYwSQvf8os+q:L5QdbJzFAtKksnSQv+7

Score

10^/10

remcos decimo discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

DECIMO

decimoremcdns.duckdns.org:1011

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-EXFS95
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2728	cmd.exe
4	2728	cmd.exe
5	2728	cmd.exe
7	2728	cmd.exe
8	2728	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	paperings.exe

Loads dropped DLL 3 IoCs

pid	Process
2744	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe
2744	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe
2692	paperings.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\sfc.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paperings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2692	paperings.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2692	paperings.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	cmd.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2692	2744	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe	31
PID 2744 wrote to memory of 2692	2744	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe	31
PID 2744 wrote to memory of 2692	2744	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe	31
PID 2744 wrote to memory of 2692	2744	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe	31
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32
PID 2692 wrote to memory of 2728	2692	paperings.exe	32

C:\Users\Admin\AppData\Local\Temp\IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe
"C:\Users\Admin\AppData\Local\Temp\IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\paperings.exe
  C:\Users\Admin\AppData\Local\Temp\paperings.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Keystroke

Filesize
645KB

MD5
5c9b2fdeda32f5e7c5dba14db7d405f1

SHA1
0616c4b7aade47f8a7a110222cf21b40a9138540

SHA256
0376fa7850a8e22086b054e55a626633f5376e5a1639eb10799ae68a1f64493d

SHA512
42fa024108e621cfdeae5b888597d635ed6a60465a174e1d2c8145465bda8fdc45809cb231a651d182414d39a2e21402fa2c50e711efaa29c37cde9154c19f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\TowbarHamartia.DLL

Filesize
54KB

MD5
d65c8ac05fd814a0327588b6b485c43e

SHA1
5555dc0c343f857c4732683b4018a271b17a6ca0

SHA256
030bcfc5c4629fff97b77925e1650c9bb9b267c1018f2fc754f90afc143522e1

SHA512
a40aa752ba28afb4e4b40ebb551612a819876dde50414c9ff1c0bf6b46618ab9d7b459eca0262fc0b9a13a649123c37fede7b20db4b8f3344c81551041d86fa0

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
ab7c5e5640d7eefd99d8f0871b53a28d

SHA1
46af5b449db87552c8a4f04e4dd1ad9e59f01f10

SHA256
4e1d6d48f627bebf66cf37c25e6e12e8ffb924a164440be10df6ba244766ab6c

SHA512
f7c2d5c78de8f4bfc536240b5a645329238709140910552856d201cefdae8f45ab570bc646af8ce14c4e290413cabec35bbad070af92b7434f0d2002dbf3dd08

Download Submit
\Users\Admin\AppData\Local\Temp\paperings.exe

Filesize
39KB

MD5
f4392de13dfac4aa804152adbd93e793

SHA1
ee90e001945afde21dcd12d542f0eabb9f94f4a6

SHA256
31ae1165f008db6195108f984d3fe495f10c6ac4a5f74bd365102f84b57d9aba

SHA512
40bf82d364c757576c3d7897d6d7413b64089056a8279433b5d5a35ada7a01607754c29678afd9bada5934d49c26f800132d400c864b38234fba4017bcf01de4

Download Submit
memory/2692-37-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2692-31-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2692-38-0x0000000076770000-0x00000000767A5000-memory.dmp

Filesize
212KB

Download
memory/2728-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-41-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/2728-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download