remcos | 5944ba347d4797eeb52fd5b947b56163575ad28e5ffe68bb84de19c82b7696b9

Analysis

max time kernel
40s
max time network
44s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-11-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free spoofe1r.exe
Size

197KB
MD5

9ca66a50465a3f07ce6e5d80e1da160e
SHA1

785cbf19b2d8577871e7c93e840f2ea3a1237eb7
SHA256

5944ba347d4797eeb52fd5b947b56163575ad28e5ffe68bb84de19c82b7696b9
SHA512

e98459eae421d61aa7f5cea9c80e5a7b3a162fa69704db339c6157fdfa283ccf039ced846713fc999f2f3975f8967163817bce2137669b9fc1097cf1f10691c7
SSDEEP

6144:jR1VxJLizZPHcLGhLy0c7lAS/0RbSLm8K:d9gzZP8yhLybGMAbemV

Score

10^/10

remcos free spoofer discovery rat

Malware Config

Extracted

Family

remcos

Version

5.3.0 Light

Botnet

free spoofer

10.125.240.11:445

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-70RTB9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

free spoofe1r.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free spoofe1r.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	Process
3340	msedge.exe
3340	msedge.exe
3160	msedge.exe
3160	msedge.exe
1520	msedge.exe
1520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid	Process
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

free spoofe1r.exemsedge.exe

pid	Process
956	free spoofe1r.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

free spoofe1r.exemsedge.exe

pid	Process
956	free spoofe1r.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3160 wrote to memory of 4568	3160	msedge.exe	84
PID 3160 wrote to memory of 4568	3160	msedge.exe	84
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3564	3160	msedge.exe	85
PID 3160 wrote to memory of 3340	3160	msedge.exe	86
PID 3160 wrote to memory of 3340	3160	msedge.exe	86
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87
PID 3160 wrote to memory of 5096	3160	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\free spoofe1r.exe
"C:\Users\Admin\AppData\Local\Temp\free spoofe1r.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9f24a3cb8,0x7ff9f24a3cc8,0x7ff9f24a3cd8
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,9531819218332421252,16251015238775099207,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,9531819218332421252,16251015238775099207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,9531819218332421252,16251015238775099207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9531819218332421252,16251015238775099207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9531819218332421252,16251015238775099207,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9531819218332421252,16251015238775099207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9531819218332421252,16251015238775099207,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,9531819218332421252,16251015238775099207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
86d207b6e6953de8ac563fe08aa6f3a8

SHA1
73623dd39ffc89100ac41f72ec6dcf2da00c6800

SHA256
2d776497302757134865abfc0657a1ec6343387dcaddd1d1b3ab4049c611732a

SHA512
188d4c808eeed8c5d6feac185308bdaaca47adc3ec9e95af2d4aad8ecd9d717ffbade8c816318b986361a9ae791d570497f09a0df81d05fac5e59f3662cb394b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
71f61fd745cc8bd7aed8ceaf91f08c81

SHA1
59f83ce5ea0327192d1efe0fe1a614599c7c2a69

SHA256
f60cfc40894e17c89e97d13c0bcd557d7fc7ce6a1c5fce7172f4f7f80dc4bb28

SHA512
024c7fb13e20ae223374162002beb1d03e1c95adb5bcb5e6dfdfe441bcfe4799a69d51d58e28bb704e07dc9a26177b077ffabe6e8e4852477303eab97d97aedd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2183dd1f901b9e36334fffe365141e5e

SHA1
1143907f082ae1f693f1043290af11e31437226a

SHA256
2db37c9cb5cb7e5b775d502426ba662fef27b0b889d6484dd5c221035c0fcac9

SHA512
caa2d17b74810fc62f8dfd18ff23f8ae170e818580c0d39dc1caff5b21b5c75d7fc7faaab221da0b22d64c16921e668e5b3aac3b78ec391278ca48184bb70a5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\LOCAL\crashpad_3160_VSTPJDGTMHIMKSQS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/956-3-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/956-4-0x0000000000475000-0x0000000000476000-memory.dmp

Filesize
4KB

Download
memory/956-5-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/956-2-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/956-1-0x0000000000475000-0x0000000000476000-memory.dmp

Filesize
4KB

Download
memory/956-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/956-28-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/956-102-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download