remcos | 1d1c6bda17ebae5d6af1cc83de37f18ea006748098dc9da1681141409846103c

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setfsb/setfsb.exe
Size

3.0MB
MD5

3cd8c8422b497b7767c17be00a3617c9
SHA1

295b9ec152b097b10c9bdcf152c4694d73d6921c
SHA256

8b950c17cd699378034ef7fbf61cf7ecedebbb831ef7bfc3b8e2f139bfa35e06
SHA512

438bcb6738356a6ac7ff61a6a1c0980e291b9b08ca81417398cc69e40d71ec7c1dba0861ec72e0c74ff2a2bd33ccbcf58d59756c3dd67fb9ef43fd8d9ef598fe
SSDEEP

49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338K:t92bz2Eb6pd7B6bAGx7n333l

Score

10^/10

remcos new discovery rat

Malware Config

Extracted

Family

remcos

Botnet

New

95.217.148.142:9004

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
SSS1ooosSAweewwe-X6B4E4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 3 IoCs

Processes:

setfsb.exescr_previw.exescr_previw.exe

pid	Process
2908	setfsb.exe
2624	scr_previw.exe
2648	scr_previw.exe

Loads dropped DLL 6 IoCs

Processes:

setfsb.exescr_previw.exescr_previw.execmd.exe

pid	Process
2800	setfsb.exe
2800	setfsb.exe
2624	scr_previw.exe
2624	scr_previw.exe
2648	scr_previw.exe
2192	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

scr_previw.exe

description	pid	Process	procid_target
PID 2648 set thread context of 2192	2648	scr_previw.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

setfsb.exescr_previw.exescr_previw.execmd.exeexplorer.exesetfsb.exesetfsb.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setfsb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setfsb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setfsb.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

setfsb.exescr_previw.exescr_previw.execmd.exe

pid	Process
2800	setfsb.exe
2800	setfsb.exe
2624	scr_previw.exe
2648	scr_previw.exe
2648	scr_previw.exe
2192	cmd.exe
2192	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

scr_previw.execmd.exe

pid	Process
2648	scr_previw.exe
2192	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setfsb.exe

pid	Process
2800	setfsb.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

setfsb.exesetfsb.exescr_previw.exescr_previw.execmd.exe

description	pid	Process	procid_target
PID 2232 wrote to memory of 2800	2232	setfsb.exe	30
PID 2232 wrote to memory of 2800	2232	setfsb.exe	30
PID 2232 wrote to memory of 2800	2232	setfsb.exe	30
PID 2232 wrote to memory of 2800	2232	setfsb.exe	30
PID 2232 wrote to memory of 2800	2232	setfsb.exe	30
PID 2232 wrote to memory of 2800	2232	setfsb.exe	30
PID 2232 wrote to memory of 2800	2232	setfsb.exe	30
PID 2800 wrote to memory of 2908	2800	setfsb.exe	31
PID 2800 wrote to memory of 2908	2800	setfsb.exe	31
PID 2800 wrote to memory of 2908	2800	setfsb.exe	31
PID 2800 wrote to memory of 2908	2800	setfsb.exe	31
PID 2800 wrote to memory of 2624	2800	setfsb.exe	32
PID 2800 wrote to memory of 2624	2800	setfsb.exe	32
PID 2800 wrote to memory of 2624	2800	setfsb.exe	32
PID 2800 wrote to memory of 2624	2800	setfsb.exe	32
PID 2624 wrote to memory of 2648	2624	scr_previw.exe	33
PID 2624 wrote to memory of 2648	2624	scr_previw.exe	33
PID 2624 wrote to memory of 2648	2624	scr_previw.exe	33
PID 2624 wrote to memory of 2648	2624	scr_previw.exe	33
PID 2648 wrote to memory of 2192	2648	scr_previw.exe	34
PID 2648 wrote to memory of 2192	2648	scr_previw.exe	34
PID 2648 wrote to memory of 2192	2648	scr_previw.exe	34
PID 2648 wrote to memory of 2192	2648	scr_previw.exe	34
PID 2648 wrote to memory of 2192	2648	scr_previw.exe	34
PID 2192 wrote to memory of 2568	2192	cmd.exe	37
PID 2192 wrote to memory of 2568	2192	cmd.exe	37
PID 2192 wrote to memory of 2568	2192	cmd.exe	37
PID 2192 wrote to memory of 2568	2192	cmd.exe	37
PID 2192 wrote to memory of 2568	2192	cmd.exe	37
PID 2192 wrote to memory of 2568	2192	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe
"C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe
  "C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe
    "C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Users\Admin\AppData\Roaming\scr_previw.exe
    "C:\Users\Admin\AppData\Roaming\scr_previw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
      C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a96de30

Filesize
1.2MB

MD5
e1ed225cd80e45d8fbd6659dfca2647e

SHA1
87c707d7932a76e0dacd6b8ca209016860383204

SHA256
355df58b67bbf4af2240165d91932abde0588fa846ad98a28772449974d30bdc

SHA512
dbc8efe9b174153ab99526fc59ba8d9a225a151bb8062c510afd51fa8a955d80d1f938becd2f77dcdb794a1439397143c224192f064515cad8a1b8023b43c3d2

Download Submit
C:\Users\Admin\AppData\Roaming\cygrt

Filesize
947KB

MD5
a727c368e3a6c273f28c80607f2df861

SHA1
a31a2b4a4677d58bf9f7126da6dedaf4502eb283

SHA256
bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca

SHA512
b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

Download Submit
C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

Filesize
1.9MB

MD5
e8ad346c114fda96fca288966eae8e92

SHA1
fdfad7f2030b54f076b2a2e24ef1199abf2588e6

SHA256
7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0

SHA512
d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

Download Submit
C:\Users\Admin\AppData\Roaming\gbxchd

Filesize
15KB

MD5
162ba47ec20e7fb580672579a6fef9d2

SHA1
a6b52b8f549ca44ffe821f65e846b869da544c28

SHA256
227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159

SHA512
135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

Download Submit
\Users\Admin\AppData\Roaming\scr_previw.exe

Filesize
2.2MB

MD5
d9530ecee42acccfd3871672a511bc9e

SHA1
89b4d2406f1294bd699ef231a4def5f495f12778

SHA256
81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280

SHA512
d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

Download Submit
\Users\Admin\AppData\Roaming\setfsb\setfsb.exe

Filesize
1.2MB

MD5
06d6023afb0ad4a828637863ba67277f

SHA1
393a8ea1e0ae4d5d2c4934850b996ec0618d4a90

SHA256
0f52243a7916d0b453be438133be2d55cf7da381c34f751ee8d593c10ab00168

SHA512
2e9e683bd3ae8987181cd2d8aa36134674adf81f540f035f8ff8780de67ff753202ba2b806e878bf17a4e1387f172c189682022e216df31b1c591fb1f2536a96

Download Submit
memory/2192-52-0x0000000077120000-0x00000000772C9000-memory.dmp

Filesize
1.7MB

Download
memory/2192-98-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download
memory/2232-3-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2232-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2568-108-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-109-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-114-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-113-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-112-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-111-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-100-0x0000000077120000-0x00000000772C9000-memory.dmp

Filesize
1.7MB

Download
memory/2568-101-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-104-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-105-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-106-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-107-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2568-110-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2624-32-0x0000000074590000-0x0000000074704000-memory.dmp

Filesize
1.5MB

Download
memory/2624-33-0x0000000077120000-0x00000000772C9000-memory.dmp

Filesize
1.7MB

Download
memory/2648-48-0x0000000077120000-0x00000000772C9000-memory.dmp

Filesize
1.7MB

Download
memory/2648-47-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download
memory/2648-49-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download
memory/2800-28-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download