remcos | 7b33de62dafef125fe428afe47e9a353749a6632d58809ce428b7514886b49b6

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.rtf
Size

86KB
MD5

c7b4ec460b896ccd9f368467d06ee44b
SHA1

58d4ed5d5791401f4555d6278a179e5c65563c8a
SHA256

7b33de62dafef125fe428afe47e9a353749a6632d58809ce428b7514886b49b6
SHA512

d82b5ecc391f92e17161ce7b98f62b273f9a51d6c294272aacc1efa1b2d2dc7c8c1095103197d6fe023b21d8b161978c4c6073aed78758649031da99fd687d9c
SSDEEP

768:t9QdTYkH9SFwul5U0mGL8ogS2fw6Vgr9JE:Mkkdzuglo8og3fJVmE

Score

10^/10

remcos newest collection discovery rat

Malware Config

Extracted

Family

remcos

Botnet

newest

107.173.4.16:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FI789R
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1016-68-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2792-63-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/816-69-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/816-69-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2792-63-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2540	EQNEDT32.EXE

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 2 IoCs

pid	Process
584	taskhostw.exe
1408	name.exe

Loads dropped DLL 7 IoCs

pid	Process
2540	EQNEDT32.EXE
584	taskhostw.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000016b86-8.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 1584	1408	name.exe	35
PID 1584 set thread context of 2792	1584	svchost.exe	37
PID 1584 set thread context of 816	1584	svchost.exe	38
PID 1584 set thread context of 1016	1584	svchost.exe	39

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	1408	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2540	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3056	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	svchost.exe
2792	svchost.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1408	name.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
584	taskhostw.exe
584	taskhostw.exe
1408	name.exe
1408	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
584	taskhostw.exe
584	taskhostw.exe
1408	name.exe
1408	name.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3056	WINWORD.EXE
3056	WINWORD.EXE
3056	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 584	2540	EQNEDT32.EXE	33
PID 2540 wrote to memory of 584	2540	EQNEDT32.EXE	33
PID 2540 wrote to memory of 584	2540	EQNEDT32.EXE	33
PID 2540 wrote to memory of 584	2540	EQNEDT32.EXE	33
PID 584 wrote to memory of 1408	584	taskhostw.exe	34
PID 584 wrote to memory of 1408	584	taskhostw.exe	34
PID 584 wrote to memory of 1408	584	taskhostw.exe	34
PID 584 wrote to memory of 1408	584	taskhostw.exe	34
PID 1408 wrote to memory of 1584	1408	name.exe	35
PID 1408 wrote to memory of 1584	1408	name.exe	35
PID 1408 wrote to memory of 1584	1408	name.exe	35
PID 1408 wrote to memory of 1584	1408	name.exe	35
PID 1408 wrote to memory of 1584	1408	name.exe	35
PID 1408 wrote to memory of 1988	1408	name.exe	36
PID 1408 wrote to memory of 1988	1408	name.exe	36
PID 1408 wrote to memory of 1988	1408	name.exe	36
PID 1408 wrote to memory of 1988	1408	name.exe	36
PID 1584 wrote to memory of 2792	1584	svchost.exe	37
PID 1584 wrote to memory of 2792	1584	svchost.exe	37
PID 1584 wrote to memory of 2792	1584	svchost.exe	37
PID 1584 wrote to memory of 2792	1584	svchost.exe	37
PID 1584 wrote to memory of 2792	1584	svchost.exe	37
PID 1584 wrote to memory of 816	1584	svchost.exe	38
PID 1584 wrote to memory of 816	1584	svchost.exe	38
PID 1584 wrote to memory of 816	1584	svchost.exe	38
PID 1584 wrote to memory of 816	1584	svchost.exe	38
PID 1584 wrote to memory of 816	1584	svchost.exe	38
PID 1584 wrote to memory of 1016	1584	svchost.exe	39
PID 1584 wrote to memory of 1016	1584	svchost.exe	39
PID 1584 wrote to memory of 1016	1584	svchost.exe	39
PID 1584 wrote to memory of 1016	1584	svchost.exe	39
PID 1584 wrote to memory of 1016	1584	svchost.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\na.rtf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Roaming\taskhostw.exe
  "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vbhglzrtwelomndtbpznxs"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\fduzmrcnkmebwtzxkalhaxgwh"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:816
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\hxarnkmoguwgziobblyilksnqxtf"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 320
      4⤵
      Loads dropped DLL
      Program crash
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\teres

Filesize
28KB

MD5
8286378171e4c2b52782449814a06653

SHA1
f950aea27b1c5416406c248a41253679ed182bfa

SHA256
4dc4dea969f1a530d82d02ed8d72be00404f8e32973430dc55eae380f95d92da

SHA512
9b9b2a8bf2b8559eafc93ae06a6c8c1d3d8ed074353d827ca04e0de7e1fa5214bfaaf98f645114e826e898b0b9302ab16aab18d9ca2443d7bc06574605d3ec85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhglzrtwelomndtbpznxs

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
1.2MB

MD5
6539c2c942c9aa3ab9c7fe14fccf0b4e

SHA1
f4a663d69419e1cdef4d31ae003c89f6c19f23c0

SHA256
d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36

SHA512
9a2141a4f2aadd4613f665ccff25e1be5ec4b31716f2f56982220032e688a860e28c0783626df885eca8f120c0c7c088b1e28438faa6f0a1c3125ba760f8bb09

Download Submit
memory/816-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/816-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/816-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1016-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1016-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1016-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1584-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1584-79-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1584-78-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1584-75-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2792-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2792-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2792-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2792-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3056-0-0x000000002FCB1000-0x000000002FCB2000-memory.dmp

Filesize
4KB

Download
memory/3056-2-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download