remcos | 7cd0aecf362869ea49a4e67f3a45b1468778e9bde2a1ca9fdebc99d768a51c95

Analysis

max time kernel
400s
max time network
398s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remcos-v5.3.0-Light.zip
Size

38.2MB
MD5

3ed3761b82c6d002b910a438ad502bda
SHA1

ae74e9c23e3abcef1d9f26e7407c794b63a8f1a3
SHA256

7cd0aecf362869ea49a4e67f3a45b1468778e9bde2a1ca9fdebc99d768a51c95
SHA512

0443f15b13fbdd22949d18f0ec0ddc47533256dae4832dcb28da018fe8cf5c4d6a655421b5d6740a7a10d4ad59ecb05412476f953a2fe4ec0e5e1cdb18773c9d
SSDEEP

786432:xIAqcuqP/oE0z2k8fw4d5UBBUklZ1lx95ibHKELKx6OPz+6kBQF:xIAqpUQl8fw84lx95gHKFcOPzJZF

Score

10^/10

remcos discovery rat upx

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Executes dropped EXE 8 IoCs

Processes:

Remcos v5.3.0 Light.exeupx.exeremcos_a.exeremcos_a.exeupx.exeremcos_a.exeupx.exeremcos_a.exe

pid process

4724 Remcos v5.3.0 Light.exe
428 upx.exe
5096 remcos_a.exe
544 remcos_a.exe
2600 upx.exe
3180 remcos_a.exe
2080 upx.exe
3296 remcos_a.exe
Loads dropped DLL 2 IoCs

Processes:

Remcos v5.3.0 Light.exe

pid process

4724 Remcos v5.3.0 Light.exe
4724 Remcos v5.3.0 Light.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Remcos v5.3.0 Light.exe

pid process

4724 Remcos v5.3.0 Light.exe
4724 Remcos v5.3.0 Light.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\upx.exe	upx
behavioral1/memory/428-82-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral1/memory/428-90-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
C:\Users\Admin\Documents\remcos_a.exe	upx
behavioral1/memory/5096-93-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/5096-94-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/544-100-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/544-101-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2600-145-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral1/memory/3180-148-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/3180-149-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2080-193-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral1/memory/3296-199-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4412	5096	WerFault.exe	remcos_a.exe
4504	544	WerFault.exe	remcos_a.exe
3308	3180	WerFault.exe	remcos_a.exe
3708	3296	WerFault.exe	remcos_a.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

upx.exeRemcos v5.3.0 Light.execmd.exeupx.exeremcos_a.execmd.exeupx.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos v5.3.0 Light.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 31 IoCs

Processes:

Remcos v5.3.0 Light.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Remcos v5.3.0 Light.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Remcos v5.3.0 Light.exe

pid	process
4724	Remcos v5.3.0 Light.exe
4724	Remcos v5.3.0 Light.exe
4724	Remcos v5.3.0 Light.exe
4724	Remcos v5.3.0 Light.exe
4724	Remcos v5.3.0 Light.exe
4724	Remcos v5.3.0 Light.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Remcos v5.3.0 Light.exe7zFM.exe

pid process

4724 Remcos v5.3.0 Light.exe
2072 7zFM.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 2072 7zFM.exe
Token: 35 2072 7zFM.exe
Token: SeSecurityPrivilege 2072 7zFM.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exeRemcos v5.3.0 Light.exe

pid process

2072 7zFM.exe
2072 7zFM.exe
4724 Remcos v5.3.0 Light.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Remcos v5.3.0 Light.exe

pid process

4724 Remcos v5.3.0 Light.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Remcos v5.3.0 Light.exe

pid process

4724 Remcos v5.3.0 Light.exe
4724 Remcos v5.3.0 Light.exe
4724 Remcos v5.3.0 Light.exe
4724 Remcos v5.3.0 Light.exe

description	pid	process
Token: SeRestorePrivilege	2072	7zFM.exe
Token: 35	2072	7zFM.exe
Token: SeSecurityPrivilege	2072	7zFM.exe

pid	process
2072	7zFM.exe
2072	7zFM.exe
4724	Remcos v5.3.0 Light.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Remcos v5.3.0 Light.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4724 wrote to memory of 4140	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 4724 wrote to memory of 4140	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 4724 wrote to memory of 4140	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 4140 wrote to memory of 428	4140	cmd.exe	upx.exe
PID 4140 wrote to memory of 428	4140	cmd.exe	upx.exe
PID 4140 wrote to memory of 428	4140	cmd.exe	upx.exe
PID 3988 wrote to memory of 544	3988	cmd.exe	remcos_a.exe
PID 3988 wrote to memory of 544	3988	cmd.exe	remcos_a.exe
PID 3988 wrote to memory of 544	3988	cmd.exe	remcos_a.exe
PID 4724 wrote to memory of 768	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 4724 wrote to memory of 768	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 4724 wrote to memory of 768	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 768 wrote to memory of 2600	768	cmd.exe	upx.exe
PID 768 wrote to memory of 2600	768	cmd.exe	upx.exe
PID 768 wrote to memory of 2600	768	cmd.exe	upx.exe
PID 3988 wrote to memory of 3180	3988	cmd.exe	remcos_a.exe
PID 3988 wrote to memory of 3180	3988	cmd.exe	remcos_a.exe
PID 3988 wrote to memory of 3180	3988	cmd.exe	remcos_a.exe
PID 4724 wrote to memory of 4332	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 4724 wrote to memory of 4332	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 4724 wrote to memory of 4332	4724	Remcos v5.3.0 Light.exe	cmd.exe
PID 4332 wrote to memory of 2080	4332	cmd.exe	upx.exe
PID 4332 wrote to memory of 2080	4332	cmd.exe	upx.exe
PID 4332 wrote to memory of 2080	4332	cmd.exe	upx.exe
PID 3988 wrote to memory of 3296	3988	cmd.exe	remcos_a.exe
PID 3988 wrote to memory of 3296	3988	cmd.exe	remcos_a.exe
PID 3988 wrote to memory of 3296	3988	cmd.exe	remcos_a.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Remcos-v5.3.0-Light.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ""C:\Users\Admin\AppData\Local\Temp\upx.exe" --best "C:\Users\Admin\Documents\remcos_a.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\upx.exe
    "C:\Users\Admin\AppData\Local\Temp\upx.exe" --best "C:\Users\Admin\Documents\remcos_a.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ""C:\Users\Admin\AppData\Local\Temp\upx.exe" --best "C:\Users\Admin\Documents\remcos_a.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\upx.exe
    "C:\Users\Admin\AppData\Local\Temp\upx.exe" --best "C:\Users\Admin\Documents\remcos_a.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ""C:\Users\Admin\AppData\Local\Temp\upx.exe" --best "C:\Users\Admin\Documents\remcos_a.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\upx.exe
    "C:\Users\Admin\AppData\Local\Temp\upx.exe" --best "C:\Users\Admin\Documents\remcos_a.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2080

C:\Users\Admin\Documents\remcos_a.exe
"C:\Users\Admin\Documents\remcos_a.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 536
  2⤵
  - Program crash
  PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5096 -ip 5096
1⤵
PID:2320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\Documents\remcos_a.exe
  remcos_a.exe
  2⤵
  - Executes dropped EXE
  PID:544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 516
    3⤵
    - Program crash
    PID:4504
- C:\Users\Admin\Documents\remcos_a.exe
  remcos_a.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 516
    3⤵
    - Program crash
    PID:3308
- C:\Users\Admin\Documents\remcos_a.exe
  remcos_a.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 516
    3⤵
    - Program crash
    PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 544 -ip 544
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3180 -ip 3180
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3296 -ip 3296
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BuilderProfiles\DefaultProfile.ini

Filesize
403B

MD5
f14d3421601ff5bc324f913f3fa2a1de

SHA1
9efd4236bc8a8f0aaaf90bb26153df5e4b5eed2f

SHA256
c7474fa35498df2031118a9764044deb0af15ee07a20e7b4dfb5aaaec759b651

SHA512
4f09754ff4ab8e16292a4933f3501bf2ce558e0825f0d3f614e7cc85871b3d1ad4b6114a63dc06745659509ad80dea59e131d1bb505e9a2f8ef30f51582b5b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuilderProfiles\DefaultProfile.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuilderProfiles\DefaultProfile.ini

Filesize
398B

MD5
11ea39f3d56bf71501ccbe1b18a500bb

SHA1
157f8d2003f36f645a7c46ceaffa1b15bd491298

SHA256
36e1bf75b6b1af9f8d1669e43b46d47254f30c6f18400fd22a2f1be95b627635

SHA512
4f25058368229e952b0c0477455b748cbf8906bfa1be5a1c99d1a9a2089e4e8135ab037f23ef904b38a07eb82b0b430871d5e8571d81d56b7aa1d133cff581e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe

Filesize
38.5MB

MD5
be1aa2a7600e0845d73cd004cd385135

SHA1
b49bfa8ada17ce0f4497a2f2e589824e700360ba

SHA256
20fefa38a50cd99ab81181ab99bee40c3639dbdd465ce2e277eebf1bd6308433

SHA512
adea6c19d96435f853cfa4685f836d20970d944d8155b0ec9d30b7ba3499bb46d9b3125a5a3baf5c244247de3ccd79de0835a3bbc0416b36083e78a1fc865e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
73B

MD5
1b3e506805675892022bde3eae257e8e

SHA1
633743fa461c166d0e5f9bde0a963b6fc45b14a5

SHA256
fe07c59702ab1e3e1a85e86ceb6e284257b2e56facffc02c7ffe63d1ddb5a3db

SHA512
fcadd018d0e427fa0ce769942d767356a2f18448265213a979b8bd99ae30944720d15c6f0c463a462927777ea028328f36aa32bf1e3105ab0e829425f2c5fef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\libeay32.dll

Filesize
1.3MB

MD5
fa5def992198121d4bb5ff3bde39fdc9

SHA1
f684152c245cc708fbaf4d1c0472d783b26c5b18

SHA256
5264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305

SHA512
4589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\remcos_client.key

Filesize
633B

MD5
455202a8f0a78e84919556a4f31f8eca

SHA1
2c0578b13ee09cfc203f246cbdcf28429486532b

SHA256
8548191e26d4adc20b3a9dd09eef3e44a2acf0060f373f35b789a6a6c4635dd7

SHA512
ae848d22991816b0616757b26cc90f889612cf20accb559234c08fe1d8a95a87bbe110d55ee6337433d8afc56b01d247e4a554b76d2c47ce1db1306b852d1899

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\remcos_server.key

Filesize
633B

MD5
c18055f9cd574d28d2d08d64a9c9c750

SHA1
f6979dbd9d3a65b5cafb4393fd363ba2704b6354

SHA256
e03a2afb34fc54d65443c56b1056209ceeab089a513daf3717ad364ee7c84c9e

SHA512
0ed56bb2fa235e8008422a7a72a309c69cd1d0748a83a4aa39446d45738a017e099c4fce449ee642b8ef61863fdac5a8b4fe63b6ff38e481808eec7b9a38c35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\ssleay32.dll

Filesize
330KB

MD5
2117e31688aef8ecf267978265bfcdcd

SHA1
e8c3cfd65ed7947f23b1bb0b66185e1e73913cfc

SHA256
0a4031ab00664cc5e202c8731798800f0475ef76800122cebd71d249655d725f

SHA512
dd03899429c2d542558e30c84a076d7e5dbde5128495954093a7031854c1df68f8ff8eca4c791144937288b084dd261fbe090c4ff9a3e0768e26f0616b474eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx.exe

Filesize
402KB

MD5
e8b39f250fb67e115e07e9eac5c99708

SHA1
51bf6ab0baa3a4c6f45be46011baa8ccd7ceaf8f

SHA256
d634cde09d1aa1320a1d4c589d35d306f8350129faf225b2bca394128c2c4442

SHA512
37418c8941834c95f59bc026e82002035fcdd7ea217061a217d5ab28f9859f1aacf0e9f213bc5eb27e3f23db8d8817ae88abc3c2ab6a4f45ce3e4ca74c0ce7e8

Download Submit
C:\Users\Admin\Documents\remcos_a.exe

Filesize
428KB

MD5
c5f09b7719c8b0fff49750c4207b06b2

SHA1
a4e05827087c2db01d12677bde55079d549271a3

SHA256
254062f88f40324329b91a934ecd2b38355225a18f90e0d6f6588f8e181163b8

SHA512
d69a070d0ef9e937be6c5aba18ae21ba37f6a2c502a1b8d48ae9d088d338f3134b52ec1b920ceec9d2450b59bd90ac37b90b966ac3cabdc4304d83cb2b4742c0

Download Submit
C:\Users\Admin\Documents\remcos_a.exe

Filesize
210KB

MD5
f837d1af91ea62b79e8d8f5a96763613

SHA1
1c241830ededd993e776c18e17023eaa3e5fc655

SHA256
78c39200a1778775253d5357fed92fcf578263c10a2a18ae24f4606f266d3807

SHA512
c67c4b75a3bb029d91f7b4333deea9072440f3b62d7c942a756f85347b79c75400d2374fa725f7fc13bba5507a1858f304053c52cedefbf218a437ff3551f8b5

Download Submit
memory/428-90-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/428-82-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/544-100-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/544-101-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2080-193-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/2600-145-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/3180-149-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3180-148-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3296-199-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4724-15-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/4724-14-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/4724-13-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/4724-12-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/4724-11-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/4724-18-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/4724-10-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/4724-16-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/4724-17-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/5096-94-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5096-93-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download