remcos | 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2024, 19:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
Size

981KB
MD5

5609198accfb2ccedb39e7755ed6a36c
SHA1

2bc0ee0e47c40a298038863338c4c07d7029d695
SHA256

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f
SHA512

f49ad0d40d40f9073a90cabd73065c4d2ab9de0f340dd109196161ad8bcbd2f73917c5232ec752241231df6ce069e5a0503c844f522a3e7c49daa3ed66a290d3
SSDEEP

24576:IAZCJVAeo/UMV0w7KpWXPL8YKSdtJ/JVw6:mPOd8WIYKSdt5

Score

10^/10

remcos host discovery rat

Malware Config

Extracted

Family

remcos

Botnet

Host

oyo.work.gd:3142

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
pdf
mouse_option
false
mutex
jkm-I9KENP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ios
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2956	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	96
PID 2188 wrote to memory of 2956	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	96
PID 2188 wrote to memory of 2956	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	96
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97

C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
"C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
  "C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
  "C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2896

Network

DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

oyo.work.gd

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Remote address:

8.8.8.8:53

Request

oyo.work.gd

IN A

Response

oyo.work.gd

IN A

154.216.20.185
DNS

185.20.216.154.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.20.216.154.in-addr.arpa

IN PTR

Response
DNS

geoplugin.net

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Fri, 15 Nov 2024 19:17:34 GMT
server: Apache
content-length: 956
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
DNS

50.33.237.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.33.237.178.in-addr.arpa

IN PTR

Response

50.33.237.178.in-addr.arpa

IN CNAME

50.32/27.178.237.178.in-addr.arpa
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

154.216.20.185:3142

oyo.work.gd

tls

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

3.3kB
1.5kB
12
15
178.237.33.50:80

http://geoplugin.net/json.gp

http

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

485 B
1.3kB
9
3

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

oyo.work.gd

dns

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

57 B
73 B
1
1

DNS Request

oyo.work.gd

DNS Response

154.216.20.185
8.8.8.8:53

185.20.216.154.in-addr.arpa

dns

73 B
134 B
1
1

DNS Request

185.20.216.154.in-addr.arpa
8.8.8.8:53

geoplugin.net

dns

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50
8.8.8.8:53

50.33.237.178.in-addr.arpa

dns

72 B
155 B
1
1

DNS Request

50.33.237.178.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pdf\logs.dat

Filesize
144B

MD5
1a81ecd7ffd8d42a3979cd0efa3c5b6b

SHA1
b67035b395ba03d4013de2f582b8ab77f3588ac6

SHA256
f2e9020741e9dce39169363135ef758696de6757e45bfdb4bf4a115637dfd995

SHA512
573b9ef02e6dd7277a9fc32846ef57b96841be79f1c3573bb8579fb6748deb36ff7fb93637d03e919c3cdd5835d64cfacc78d4ee5a9f4aeb5dc267d0c47fc23e

Download Submit
memory/2188-6-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2188-2-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/2188-3-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/2188-4-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/2188-5-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/2188-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2188-7-0x0000000006400000-0x0000000006412000-memory.dmp

Filesize
72KB

Download
memory/2188-8-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2188-9-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2188-10-0x0000000006440000-0x0000000006500000-memory.dmp

Filesize
768KB

Download
memory/2188-1-0x0000000000610000-0x000000000070C000-memory.dmp

Filesize
1008KB

Download
memory/2188-21-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2896-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-35-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.