remcos | d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe
Size

1.2MB
MD5

6539c2c942c9aa3ab9c7fe14fccf0b4e
SHA1

f4a663d69419e1cdef4d31ae003c89f6c19f23c0
SHA256

d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36
SHA512

9a2141a4f2aadd4613f665ccff25e1be5ec4b31716f2f56982220032e688a860e28c0783626df885eca8f120c0c7c088b1e28438faa6f0a1c3125ba760f8bb09
SSDEEP

24576:WCdxte/80jYLT3U1jfsWaNuPcgCOCYdVtL/JAc/RhmTO/wQ:fw80cTsjkWaNecFOCYDljmyL

Score

10^/10

remcos newest collection discovery rat

Malware Config

Extracted

Family

remcos

Botnet

newest

107.173.4.16:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FI789R
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4088-64-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5088-59-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2448-57-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/5088-59-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2448-57-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 2 IoCs

pid	Process
1600	name.exe
2352	name.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023cb3-13.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 216	2352	name.exe	89
PID 216 set thread context of 2448	216	svchost.exe	91
PID 216 set thread context of 5088	216	svchost.exe	93
PID 216 set thread context of 4088	216	svchost.exe	94

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2448	svchost.exe
2448	svchost.exe
4088	svchost.exe
4088	svchost.exe
2448	svchost.exe
2448	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1600	name.exe
2352	name.exe
216	svchost.exe
216	svchost.exe
216	svchost.exe
216	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
812	d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe
812	d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe
1600	name.exe
1600	name.exe
2352	name.exe
2352	name.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
812	d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe
812	d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe
1600	name.exe
1600	name.exe
2352	name.exe
2352	name.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 1600	812	d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe	86
PID 812 wrote to memory of 1600	812	d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe	86
PID 812 wrote to memory of 1600	812	d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe	86
PID 1600 wrote to memory of 3068	1600	name.exe	87
PID 1600 wrote to memory of 3068	1600	name.exe	87
PID 1600 wrote to memory of 3068	1600	name.exe	87
PID 1600 wrote to memory of 2352	1600	name.exe	88
PID 1600 wrote to memory of 2352	1600	name.exe	88
PID 1600 wrote to memory of 2352	1600	name.exe	88
PID 2352 wrote to memory of 216	2352	name.exe	89
PID 2352 wrote to memory of 216	2352	name.exe	89
PID 2352 wrote to memory of 216	2352	name.exe	89
PID 2352 wrote to memory of 216	2352	name.exe	89
PID 216 wrote to memory of 2448	216	svchost.exe	91
PID 216 wrote to memory of 2448	216	svchost.exe	91
PID 216 wrote to memory of 2448	216	svchost.exe	91
PID 216 wrote to memory of 2448	216	svchost.exe	91
PID 216 wrote to memory of 4692	216	svchost.exe	92
PID 216 wrote to memory of 4692	216	svchost.exe	92
PID 216 wrote to memory of 4692	216	svchost.exe	92
PID 216 wrote to memory of 5088	216	svchost.exe	93
PID 216 wrote to memory of 5088	216	svchost.exe	93
PID 216 wrote to memory of 5088	216	svchost.exe	93
PID 216 wrote to memory of 5088	216	svchost.exe	93
PID 216 wrote to memory of 4088	216	svchost.exe	94
PID 216 wrote to memory of 4088	216	svchost.exe	94
PID 216 wrote to memory of 4088	216	svchost.exe	94
PID 216 wrote to memory of 4088	216	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe
"C:\Users\Admin\AppData\Local\Temp\d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36.exe"
    3⤵
    PID:3068
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\azpsnvpwktgeqdhtz"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbukooaxybyrajvxisyy"
        5⤵
        
        PID:4692
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbukooaxybyrajvxisyy"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:5088
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vvzvpglrmjqwdprjadlrfkl"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Citlaltpetl

Filesize
483KB

MD5
68e968b0759cf46217226477c26c2fb0

SHA1
acbb76b2c0808f932d217ae73184ba14b18d27b8

SHA256
604a0cc31ba6d8753e394982e8b84a59b260179b2313f314cac53ceb663c996b

SHA512
8016e87c2b29be1802df384f46f0568ef4ea2be22732bd554aa7e95ff12373b0381ad0cfd8ca1c795e8b5d7dc94e210acc8f32dd21cbbca4ecb42d6e48fa8709

Download Submit
C:\Users\Admin\AppData\Local\Temp\autCD23.tmp

Filesize
391KB

MD5
336dc045c8c6a4764b31d43fd360b020

SHA1
0dbee41f0bf6fef4f8c7bd47c6fd386cb572067b

SHA256
d7c56ffc8a357e732d1922254d35ac9ef9fa39b15f0c4509e5d0cf17ccb64ec4

SHA512
a7c4fe0fbefa21d7d1217b75b3bc44e08582fc69faed7144736375d7934caf25fa40441a4ae21bef339f056cdb927f8e42f94caa5b9140c42a1f309dab88509b

Download Submit
C:\Users\Admin\AppData\Local\Temp\autCD63.tmp

Filesize
12KB

MD5
a9350f97650a3d649560abaa38ccbe7c

SHA1
c01dde0ac867bbe9ed8d93713c993751e8b1fed6

SHA256
912fe5024c06fbb6643cc0afc64414ecdda4a251cc6d1f5805960b544b73c53a

SHA512
8a2024cc0f6c3b72ad554ded7a93d61024ecdb5af56b550f6a145468eb87cd7ad583a8a1b0c4390dcb5082ac66fcc247cd8299c3a598d95a192220a597009197

Download Submit
C:\Users\Admin\AppData\Local\Temp\azpsnvpwktgeqdhtz

Filesize
4KB

MD5
60a0bdc1cf495566ff810105d728af4a

SHA1
243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6

SHA256
fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2

SHA512
4445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\teres

Filesize
28KB

MD5
8286378171e4c2b52782449814a06653

SHA1
f950aea27b1c5416406c248a41253679ed182bfa

SHA256
4dc4dea969f1a530d82d02ed8d72be00404f8e32973430dc55eae380f95d92da

SHA512
9b9b2a8bf2b8559eafc93ae06a6c8c1d3d8ed074353d827ca04e0de7e1fa5214bfaaf98f645114e826e898b0b9302ab16aab18d9ca2443d7bc06574605d3ec85

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.2MB

MD5
6539c2c942c9aa3ab9c7fe14fccf0b4e

SHA1
f4a663d69419e1cdef4d31ae003c89f6c19f23c0

SHA256
d98fa625a92c790403ee5f8be928948855ea23a892321cc7d219895d3f5b1c36

SHA512
9a2141a4f2aadd4613f665ccff25e1be5ec4b31716f2f56982220032e688a860e28c0783626df885eca8f120c0c7c088b1e28438faa6f0a1c3125ba760f8bb09

Download Submit
memory/216-70-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/216-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/216-67-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/216-71-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/216-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/812-10-0x0000000002560000-0x0000000002564000-memory.dmp

Filesize
16KB

Download
memory/2448-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2448-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2448-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4088-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4088-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4088-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5088-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5088-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5088-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download