remcos | 01586a182b954e21ee2f5151fe2a44e6d77cf5339953151808cfaa948bbe4a48

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NVCleanstall_1.16.0/NVCleanstall_1.16.0.exe
Size

3.0MB
MD5

d59e26ffa02d0b9a489544eb85cc743c
SHA1

377fb52dd65faa8b3ad04dce032932f1d5f3ff24
SHA256

fbb5b3960cf51f5c4cdeee63af58abb17f65f4b7849a07d694e21f39fc78819f
SHA512

e5baf062e706c18b6cb12293d37307d2b9e83c20c4f79ffdb8e50276538ab3bb7250f357c8cb4249529cec7fd0534dd2006239c0c871274a56a3ffd1f10d7acf
SSDEEP

49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338Z:t92bz2Eb6pd7B6bAGx7n333+

Score

10^/10

remcos new discovery rat

Malware Config

Extracted

Family

remcos

Botnet

NEW

185.183.32.159:4142

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
asdjkdsakjEndUUUUr-OT4KX5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 33 IoCs

flow	pid	Process
40	3360	cmd.exe
41	3360	cmd.exe
42	3360	cmd.exe
43	3360	cmd.exe
44	3360	cmd.exe
47	3360	cmd.exe
49	3360	cmd.exe
50	3360	cmd.exe
51	3360	cmd.exe
52	3360	cmd.exe
53	3360	cmd.exe
54	3360	cmd.exe
55	3360	cmd.exe
56	3360	cmd.exe
57	3360	cmd.exe
61	3360	cmd.exe
63	3360	cmd.exe
64	3360	cmd.exe
65	3360	cmd.exe
66	3360	cmd.exe
67	3360	cmd.exe
68	3360	cmd.exe
69	3360	cmd.exe
70	3360	cmd.exe
71	3360	cmd.exe
72	3360	cmd.exe
73	3360	cmd.exe
74	3360	cmd.exe
75	3360	cmd.exe
76	3360	cmd.exe
77	3360	cmd.exe
78	3360	cmd.exe
83	3360	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	NVCleanstall_1.16.0.exe

Executes dropped EXE 2 IoCs

pid	Process
100	NVCleanstall_1.16.0.exe
1288	ICQ.exe

Loads dropped DLL 12 IoCs

pid	Process
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe
1288	ICQ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1288 set thread context of 4716	1288	ICQ.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVCleanstall_1.16.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVCleanstall_1.16.0.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4988	NVCleanstall_1.16.0.exe
4988	NVCleanstall_1.16.0.exe
1288	ICQ.exe
4716	cmd.exe
4716	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1288	ICQ.exe
4716	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	100	NVCleanstall_1.16.0.exe
Token: SeCreatePagefilePrivilege	100	NVCleanstall_1.16.0.exe
Token: SeDebugPrivilege	100	NVCleanstall_1.16.0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4988	NVCleanstall_1.16.0.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4988	3824	NVCleanstall_1.16.0.exe	85
PID 3824 wrote to memory of 4988	3824	NVCleanstall_1.16.0.exe	85
PID 3824 wrote to memory of 4988	3824	NVCleanstall_1.16.0.exe	85
PID 4988 wrote to memory of 100	4988	NVCleanstall_1.16.0.exe	87
PID 4988 wrote to memory of 100	4988	NVCleanstall_1.16.0.exe	87
PID 4988 wrote to memory of 1288	4988	NVCleanstall_1.16.0.exe	88
PID 4988 wrote to memory of 1288	4988	NVCleanstall_1.16.0.exe	88
PID 4988 wrote to memory of 1288	4988	NVCleanstall_1.16.0.exe	88
PID 1288 wrote to memory of 4716	1288	ICQ.exe	89
PID 1288 wrote to memory of 4716	1288	ICQ.exe	89
PID 1288 wrote to memory of 4716	1288	ICQ.exe	89
PID 1288 wrote to memory of 4716	1288	ICQ.exe	89
PID 4716 wrote to memory of 3360	4716	cmd.exe	100
PID 4716 wrote to memory of 3360	4716	cmd.exe	100
PID 4716 wrote to memory of 3360	4716	cmd.exe	100
PID 4716 wrote to memory of 3360	4716	cmd.exe	100
PID 4716 wrote to memory of 3360	4716	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
  "C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
    "C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:100
- - C:\Users\Admin\AppData\Roaming\ICQ.exe
    "C:\Users\Admin\AppData\Roaming\ICQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f28978b

Filesize
1.1MB

MD5
f65d2ac8d38f6929b07826d88f637f73

SHA1
8b86c4683e26c82ea73e069873f798d5337a385b

SHA256
10e29bf0bbf84e110794f50cdb5596d178ea20f8f50772639e19861b321c0ebf

SHA512
832ce7540690d703ac668eaed5439d3d2b8b2d51a0103f548a712dd97e5a6b72d1746d9602cbf7e5da0c48a449244b4358bffea7b4df8f81bfda24c64a7caeb0

Download Submit
C:\Users\Admin\AppData\Roaming\ICQ.exe

Filesize
168KB

MD5
aef6452711538d9021f929a2a5f633cf

SHA1
205b7fab75e77d1ff123991489462d39128e03f6

SHA256
e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

SHA512
7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

Download Submit
C:\Users\Admin\AppData\Roaming\MCoreLib.dll

Filesize
106KB

MD5
815b07c37c83b13457d37ca8c6a7a561

SHA1
746138b85e5611fd058c008411889a15870083cd

SHA256
153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

SHA512
8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

Download Submit
C:\Users\Admin\AppData\Roaming\MDb.dll

Filesize
205KB

MD5
580fdcf4c38b155708fcfc2fc375b287

SHA1
63d689b601037f7a272cfc3b88fcd892d7391764

SHA256
2e5f2d3e4544b318152ee7b00a47f664b7414941ae284deb41ead1f09ac63475

SHA512
a691ce52cf62410148ff9a8e83f43930601d2053f0b0516f1923e9e5408d7a78a6eafb843c61078a3b99993fa616c612fdffc6d836599793c56984fa8d0519fc

Download Submit
C:\Users\Admin\AppData\Roaming\MKernel.dll

Filesize
219KB

MD5
98a71909605b7d088f82d66abc64d4c2

SHA1
1e250127851a331dd914215348ef51fff78442c9

SHA256
46410947d60a8b92869aa2cf27b57a94c710047f168ac3bc23879a8461f8686a

SHA512
efa8e407e3fbfb81da07b584b8bbd2a440074388ae3ff6175abc88614b42b53ca70206e7ada00273457fafac58d7729f1c945a9e79ce793bc48229035194b267

Download Submit
C:\Users\Admin\AppData\Roaming\MSVCP71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Users\Admin\AppData\Roaming\MUICoreLib.dll

Filesize
824KB

MD5
60a5383ba17d8f519cb4356e28873a14

SHA1
6bf70393d957320a921226c7fcdf352a0a67442d

SHA256
80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

SHA512
a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

Download Submit
C:\Users\Admin\AppData\Roaming\MUIUtils.dll

Filesize
385KB

MD5
97d6efb8b8e0b0f03701a7bafc398545

SHA1
0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

SHA256
51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

SHA512
2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

Download Submit
C:\Users\Admin\AppData\Roaming\MUtils.dll

Filesize
619KB

MD5
6da9a492898b66db78f5c9d3fc7ecc64

SHA1
d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

SHA256
50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

SHA512
11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

Download Submit
C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

Filesize
3.8MB

MD5
41421866b825dbdcc5f29a0bbd484362

SHA1
f7637ef22c82a108ab4668baca40e4f03eb49a5c

SHA256
efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1

SHA512
72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d

Download Submit
C:\Users\Admin\AppData\Roaming\barbotine.pdf

Filesize
1.0MB

MD5
5dc65854e5245a57ff692c31c8c54b3f

SHA1
3f4f02f85f4e5a7d37840bfc9cfa8ae52426e873

SHA256
443a58f879cfd6495a7f5a453a268dc2c48b2b99d59c74366d6ac37073c450fd

SHA512
def9879c5c6cc13c87e8d5df77dd4a8e08afad9097d937b803fb824eaf26a9896a28e420545f0c0d0339ec8762cb45793ae10a43a4323726691e3f22be78b0dd

Download Submit
C:\Users\Admin\AppData\Roaming\coolcore49.dll

Filesize
764KB

MD5
4f27d1bacaf09d1919484355b341c868

SHA1
f1be78d484235270a1416c6acb20e2915ae050db

SHA256
12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

SHA512
328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

Download Submit
C:\Users\Admin\AppData\Roaming\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Roaming\xprt6.dll

Filesize
244KB

MD5
d145903e217ddde20ce32ed9e5074e16

SHA1
bdb3265d872f446d7445aae4f2d0beba5dae3bd8

SHA256
9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4

SHA512
00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

Download Submit
memory/100-71-0x000001EBE7400000-0x000001EBE79C0000-memory.dmp

Filesize
5.8MB

Download
memory/100-77-0x000001EBCED00000-0x000001EBCED0E000-memory.dmp

Filesize
56KB

Download
memory/100-74-0x000001EBCD090000-0x000001EBCD096000-memory.dmp

Filesize
24KB

Download
memory/100-73-0x000001EBE95A0000-0x000001EBE9A6C000-memory.dmp

Filesize
4.8MB

Download
memory/100-72-0x000001EBCD0C0000-0x000001EBCD0E2000-memory.dmp

Filesize
136KB

Download
memory/100-66-0x000001EBCC930000-0x000001EBCCCF4000-memory.dmp

Filesize
3.8MB

Download
memory/100-76-0x000001EBE9530000-0x000001EBE9568000-memory.dmp

Filesize
224KB

Download
memory/100-75-0x000001EBCEB20000-0x000001EBCEB28000-memory.dmp

Filesize
32KB

Download
memory/1288-78-0x0000000074400000-0x000000007457B000-memory.dmp

Filesize
1.5MB

Download
memory/1288-61-0x00000000009E0000-0x0000000000A43000-memory.dmp

Filesize
396KB

Download
memory/1288-69-0x0000000074400000-0x000000007457B000-memory.dmp

Filesize
1.5MB

Download
memory/1288-64-0x0000000000A50000-0x0000000000B21000-memory.dmp

Filesize
836KB

Download
memory/1288-70-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

Filesize
2.0MB

Download
memory/3360-91-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-93-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-98-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-97-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-96-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-95-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-85-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

Filesize
2.0MB

Download
memory/3360-86-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-88-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-89-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-90-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-94-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3360-92-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3824-4-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/3824-0-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/4716-83-0x0000000074400000-0x000000007457B000-memory.dmp

Filesize
1.5MB

Download
memory/4716-81-0x00007FFC2B390000-0x00007FFC2B585000-memory.dmp

Filesize
2.0MB

Download
memory/4988-68-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4988-3-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download