remcos | 3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70

Analysis

max time kernel
93s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe
Size

649KB
MD5

90b918dec9c9a4b5ece3cb7ecce2598e
SHA1

ae7be0d3f7edff1729df9386847d6fd25ff24ac6
SHA256

3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70
SHA512

0f392ca832f969aa3c41f601577e53c10c235ad70b87986af5f5e20f27809141726f70c5c3133641dfbf975663fe73ef019c2251b2a3185a463ec4d2e8eed6ec
SSDEEP

12288:E3cAEjowS7yqMU5dECzVij70Y2RVX/lPIOZzZLDEvaSh2x0+tNADhZebeEkOQ:E3cAEjowSGqMUvFYjtOZzlK607fDl

Score

10^/10

remcos lonewolf discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

LoneWolf

odumegwu.duckdns.org:51525

odumeje1.duckdns.org:51525

odumeje.duckdns.org:51525

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3DX9QW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Loads dropped DLL 2 IoCs

pid	Process
4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe
4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Geoginas.exe"	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe
4204	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 4204	4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	4204	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4204	4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe	94
PID 4316 wrote to memory of 4204	4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe	94
PID 4316 wrote to memory of 4204	4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe	94
PID 4316 wrote to memory of 4204	4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe	94
PID 4316 wrote to memory of 4204	4316	3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe	94

C:\Users\Admin\AppData\Local\Temp\3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe
"C:\Users\Admin\AppData\Local\Temp\3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe
  "C:\Users\Admin\AppData\Local\Temp\3f416918bd125281304aad7b443c03de9fb8d3d22316ff0c47b5c18a1793bc70.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1268
    3⤵
    - Program crash
    PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdA869.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA869.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA869.tmp

Filesize
18B

MD5
cd0c38af71efb097ce402c588b17ff09

SHA1
8da4e54a7b95932f752a88ea416fa31d0c7c2fbe

SHA256
1630fc3705a57982a8939a6550615a92d8998f0c3394caeca0ae3019427ec50a

SHA512
03603368dbca419de6ad8ef10bb6c9670e83f06d2b3b7d7b5ebccf255473d7abb1cca1c7e0f2c2d49cd3f84c599ee5e71b03582567c95f3f76d5e54931a6ed06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA869.tmp

Filesize
22B

MD5
1a976b081f77c04dad951286222ed3da

SHA1
1fd2c47eab6b8b5ee42fee2f8238bd065881d99d

SHA256
d7c42493656ae25d5a3ff0b7fa739e43557d2c54a82833c8782ddbe8d364816d

SHA512
e087d4f397761e3525241f2610f8be1bd46533905fc0bf39435127e1341c1f4c21fc1d2f1b213d78b0505d8bafbc4f797b85537601a0f186850457d3d2847a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA869.tmp

Filesize
60B

MD5
6784d8f3948a522353ed281328a8723d

SHA1
304028414399d878afe5700f56a26f4062cf4f9b

SHA256
e51248669d25916aaadc481c6f2661d7af87c28e30b62c34b5ed2fbb708575ac

SHA512
00a6fce062c6db06dd723aa91dd74fe9107059cd5635d0d09743f9c756bb3af1b3fb1e0b89edce081fde02fd72edd1a0590b2fb83d7711a502b0618e97e21fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA906.tmp

Filesize
12B

MD5
c69f9017146365e0214351f8fe3c5837

SHA1
1653405a133cee32745a9a2bffaeca4429d95532

SHA256
e7137bbf941ddb679efbbb3043769122f659a0932d056894f411b734fb1ffddd

SHA512
fa5a9dad8862c6614fd148c9800f3aec0b2a842f1f3ee47f22bbc426133bd7659bdb2cfac45d25288ea6a4c4f1b29163b8ae764c0d15c008935a7b9606c67977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA906.tmp

Filesize
41B

MD5
5d27ab64299196a0ae0588d09bbdd4af

SHA1
f60db836286953946e8108aee6de534a6892ab19

SHA256
0659be61af13ac112373100fcbe4e5cbdaec19262a104e882bec6f6389b07a5f

SHA512
50c7eb438d1babcf8883180c211bad80e73c1d9ec87a733b05ea2692c8c9d9dbd56700d82cfa679100b7eb40a7389c7f07a161c3ab0e629ffad51434676fa0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA906.tmp

Filesize
46B

MD5
25882c6cd51b5a0a31cb42fcd87cf247

SHA1
6eb6be260825e3807d50cf84afb990878b94faa5

SHA256
cf1663a286fa3ee325e8a2440c280bc547e653a6289b069dbff95449e6e9501a

SHA512
3d0bf304bac4dbbb09b6937ae535931113479863281d6d2ab19ccf07250bea66fab08e7027f27e77df38f2407dd7f98db1ca3879d37f5a7f367da664db41d2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA906.tmp

Filesize
50B

MD5
d127f9aab74c4d2d35c1c7903ae66531

SHA1
d003563f3333c1b4b8f52e935c5113e7309a1969

SHA256
4ba4336d758a991595407faf58b7ac3d1344973d3327d737bd30d6b30ac0427f

SHA512
a9cfee199d3ad828c8b953ce0f090cde68b0e7c57de417cd6f82feffa5d9432fae8ef43ecebc61aa83ebc788ff830cf1bd167b27ca1c30eab114fd7b902e1352

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA906.tmp

Filesize
55B

MD5
77c74357a05c6ef6d24ab36438bf636f

SHA1
9dd3198f880b3063e935f0900372221d339accca

SHA256
a74d0f1c92645efb5aeb220ec072e273d9219b73635433a74891e139c640834c

SHA512
14b8d3dce21ba1d2ad80c4111627cd742db9b2f2612f6f94ddb542dc6d051869d31febe611129053c947f8cf158e58700e4b0a800d4ac2fd68c858a91fce056e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiA79C.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA7BC.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA7BC.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA7BC.tmp

Filesize
27B

MD5
0ec6691c283ddc7f19331d3c214c58d2

SHA1
5b30d6927130c7a3ce16dfa809238c6f6fc61e6f

SHA256
1bf567e8c29ff4bd0866da8a312c38c4c2ffabf6916a87fa7bc7bbba2b42db36

SHA512
8ea2702bd97781067bdfe3008e9aa1da303db56b8d03bd076823308d299e369b2d989708ea707b5c4a51b96d3d07001e7f0c3d9767f08933fde0f9feba28493f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA7BC.tmp

Filesize
29B

MD5
f302a24fc452fd85d13ad30a272d6f35

SHA1
3b9153f575b70084ae04fd55d5c86169eaa60916

SHA256
2edbbfdef57bac60adc902d6bd15abb9c3e044c0f660c9a63135d37ac0f6c63a

SHA512
477c3efa5d2bf5ef6ac57a0dc190014f98ff0bd1181106edff7b0db01d58b7f0d8c6eb77266202249f035cc056a726bfd7abdc2e0d672aadc9a45ed29d4b1bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA7BC.tmp

Filesize
48B

MD5
040cc34b899dd5230d5113b5156ec5d4

SHA1
60a49c8b3e3f33b38c1780e8826e50d9672c5bcf

SHA256
454a97bbcd88c00fd8617e38fec2ebc855a608adbb751ad5ce4355f6bd171c32

SHA512
e6d441445f20c73e6e23203323dd5ff68ac2a74767fa69aac7c2c1b05e7bd981cf461b66c9d516dc53b4bbc32117c12e103187cfca891846b9d42ee2aa2c423d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA7BC.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp

Filesize
63B

MD5
6a82ea02494893b849d7b981609561e4

SHA1
c4ab8d0a95600197c0517fb0c30e4d67683efb4a

SHA256
325f317c63480734ea71c33422a2416e25a678cc45e33edd33e939ac6f5e2fd6

SHA512
86f06d769bd277e2f75c0843df79a17f878c7c4c9f5412b68ade304b7bcdc35abf6714be2aa6166230d358d007799be703ed2e673df153aa96602799009674fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp

Filesize
40B

MD5
28a6676780b5dc10cce96a2b07fd2dce

SHA1
2f49455fac0d2dfa8a3b087dcd14e1c62f97c94b

SHA256
b10b2877ad9f4d77d275562f4a233c4d2900e36568d5e1761c3d92b33e050a7a

SHA512
801b2519bc90819eb45aab326909e0a3e83dd3bce7b491f3489b2be4b0d0ef947245d2fbc6fd1702436378e48ec3a6a90f1f6df43684d614aa3fecc40382fca9

Download Submit
memory/4204-568-0x0000000077EB8000-0x0000000077EB9000-memory.dmp

Filesize
4KB

Download
memory/4204-569-0x0000000077E31000-0x0000000077F51000-memory.dmp

Filesize
1.1MB

Download
memory/4204-571-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4204-572-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4316-565-0x0000000077E31000-0x0000000077F51000-memory.dmp

Filesize
1.1MB

Download
memory/4316-566-0x0000000077E31000-0x0000000077F51000-memory.dmp

Filesize
1.1MB

Download
memory/4316-567-0x0000000074C95000-0x0000000074C96000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads