remcos | 544d772118922c50b382935f5403c6b9e6fcffdad5a82ea1ad1aec139c138581

Analysis

max time kernel
299s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5702771896_AWB_20240902_225_20240902.exe
Size

888KB
MD5

fca7c052afe3a4de2e3d0ce5d500932c
SHA1

1873d11a40c7a727762ba70780a43a810f168333
SHA256

f85e3c3cace64f9432cc9588a77cb687cdca8378ec16334923849913632973ce
SHA512

b6cc45932fe3b6f0042e26609ad3a114872f044a667fbcdcd619e01380e03c77f203d88cbce79a09997ad645eb6f1a7d86217c1ec0f0667d8cc995cc28bb988c
SSDEEP

12288:k9QQTGWRJxjcm4Z2dDnD7V1xk3ZCB8w6unDxGlxqHkZ084Y5bzY9n8+q8tiB/h5:FQTGWPxImi21Tx1J6uDxaxqHg7098+6n

Score

10^/10

remcos remotehost collection discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

23.227.202.197:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QPTXAI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 6 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3912-38-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3912-33-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2904-43-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2904-40-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/5012-31-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/5012-47-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2904-43-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2904-40-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/5012-31-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/5012-47-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Loads dropped DLL 2 IoCs

pid	Process
1004	5702771896_AWB_20240902_225_20240902.exe
1004	5702771896_AWB_20240902_225_20240902.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	5702771896_AWB_20240902_225_20240902.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2464	5702771896_AWB_20240902_225_20240902.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1004	5702771896_AWB_20240902_225_20240902.exe
2464	5702771896_AWB_20240902_225_20240902.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 2464	1004	5702771896_AWB_20240902_225_20240902.exe	91
PID 2464 set thread context of 5012	2464	5702771896_AWB_20240902_225_20240902.exe	95
PID 2464 set thread context of 2904	2464	5702771896_AWB_20240902_225_20240902.exe	96
PID 2464 set thread context of 3912	2464	5702771896_AWB_20240902_225_20240902.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5702771896_AWB_20240902_225_20240902.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5702771896_AWB_20240902_225_20240902.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5702771896_AWB_20240902_225_20240902.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5702771896_AWB_20240902_225_20240902.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5702771896_AWB_20240902_225_20240902.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5012	5702771896_AWB_20240902_225_20240902.exe
5012	5702771896_AWB_20240902_225_20240902.exe
3912	5702771896_AWB_20240902_225_20240902.exe
3912	5702771896_AWB_20240902_225_20240902.exe
5012	5702771896_AWB_20240902_225_20240902.exe
5012	5702771896_AWB_20240902_225_20240902.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1004	5702771896_AWB_20240902_225_20240902.exe
2464	5702771896_AWB_20240902_225_20240902.exe
2464	5702771896_AWB_20240902_225_20240902.exe
2464	5702771896_AWB_20240902_225_20240902.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	5702771896_AWB_20240902_225_20240902.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2464	5702771896_AWB_20240902_225_20240902.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 2464	1004	5702771896_AWB_20240902_225_20240902.exe	91
PID 1004 wrote to memory of 2464	1004	5702771896_AWB_20240902_225_20240902.exe	91
PID 1004 wrote to memory of 2464	1004	5702771896_AWB_20240902_225_20240902.exe	91
PID 1004 wrote to memory of 2464	1004	5702771896_AWB_20240902_225_20240902.exe	91
PID 1004 wrote to memory of 2464	1004	5702771896_AWB_20240902_225_20240902.exe	91
PID 2464 wrote to memory of 5012	2464	5702771896_AWB_20240902_225_20240902.exe	95
PID 2464 wrote to memory of 5012	2464	5702771896_AWB_20240902_225_20240902.exe	95
PID 2464 wrote to memory of 5012	2464	5702771896_AWB_20240902_225_20240902.exe	95
PID 2464 wrote to memory of 2904	2464	5702771896_AWB_20240902_225_20240902.exe	96
PID 2464 wrote to memory of 2904	2464	5702771896_AWB_20240902_225_20240902.exe	96
PID 2464 wrote to memory of 2904	2464	5702771896_AWB_20240902_225_20240902.exe	96
PID 2464 wrote to memory of 3912	2464	5702771896_AWB_20240902_225_20240902.exe	97
PID 2464 wrote to memory of 3912	2464	5702771896_AWB_20240902_225_20240902.exe	97
PID 2464 wrote to memory of 3912	2464	5702771896_AWB_20240902_225_20240902.exe	97

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
"C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
  "C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
    C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\zitdtzlqyfrhrugjlhgfjilmdqcbn"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5012
- - C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
    C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\bcyntswjmnjmtbunusbyuvgdeftkozvf"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
    C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\lelg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
bc2dba59425750566e43284febc9ab21

SHA1
934bb003a208bdf913265d0fcd8aebd5d8b8631d

SHA256
6b6d69da82f0dd712abbe17ead623cbd94511ca8e96772eafb0b33fe32839ec7

SHA512
4880b52ef9da059382128aa9665ce1fb08e8abdf8abcc8151cc683d3632677afcafe24b54d312a65224aacd5b27dea1af0da55227792869517cd1706c8a2de1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD0FE.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zitdtzlqyfrhrugjlhgfjilmdqcbn

Filesize
4KB

MD5
f1d2c01ce674ad7d5bad04197c371fbc

SHA1
4bf0ed04d156a3dc6c8d27e134ecbda76d3585aa

SHA256
25b006032deccd628940ef728fffe83b325a85de453a34691f55f570e4460094

SHA512
81cb982cc33dcc27600a8a681c3ec3cc5b9221b95baa45e1ab24479745a9638b9f31d7beeeb1128b3294ff69b44e958c75e25d565f66790c364665caff96ee77

Download Submit
memory/1004-14-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

Filesize
2.0MB

Download
memory/2464-80-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-95-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-23-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-17-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-137-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-50-0x0000000033650000-0x0000000033669000-memory.dmp

Filesize
100KB

Download
memory/2464-131-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-125-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-122-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-119-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-110-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-107-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-104-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-101-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-98-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-56-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-21-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

Filesize
2.0MB

Download
memory/2464-92-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-54-0x0000000033650000-0x0000000033669000-memory.dmp

Filesize
100KB

Download
memory/2464-53-0x0000000033650000-0x0000000033669000-memory.dmp

Filesize
100KB

Download
memory/2464-134-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-27-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

Filesize
2.0MB

Download
memory/2464-15-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

Filesize
2.0MB

Download
memory/2464-59-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-16-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

Filesize
2.0MB

Download
memory/2464-62-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-65-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-74-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-77-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2904-43-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2904-40-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2904-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2904-39-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2904-26-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3912-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3912-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3912-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3912-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5012-31-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5012-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5012-29-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5012-41-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

Filesize
2.0MB

Download
memory/5012-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download