remcos | 6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe
Size

1.7MB
MD5

1d572147e37c4766851afec9c30aacf9
SHA1

cee9e2191859ccbbb259329684bd1849056a3622
SHA256

6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530
SHA512

24f30d63ff61f729af2f84558b5f42778921be921706e182cbf58aa12637c44bc3967ec8e29583924791724b1af54db697a22bea4b8a02bede1cb21ed9f453c5
SSDEEP

49152:7JZoQrbTFZY1iaC3q3z8JFExUq4IoBNA13:7trbTA1Xz8EPTx13

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

162.251.122.86:6644

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CGA6IQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops startup file 1 IoCs

Processes:

leucoryx.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\leucoryx.vbs	leucoryx.exe

Executes dropped EXE 2 IoCs

Processes:

leucoryx.exeleucoryx.exe

pid	Process
2016	leucoryx.exe
4524	leucoryx.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/files/0x000d000000023b48-14.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

leucoryx.exe

description	pid	Process	procid_target
PID 4524 set thread context of 2800	4524	leucoryx.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exeleucoryx.exeleucoryx.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leucoryx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leucoryx.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

leucoryx.exeleucoryx.exe

pid	Process
2016	leucoryx.exe
4524	leucoryx.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exeleucoryx.exeleucoryx.exe

pid	Process
3972	6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe
3972	6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe
2016	leucoryx.exe
2016	leucoryx.exe
2016	leucoryx.exe
4524	leucoryx.exe
4524	leucoryx.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exeleucoryx.exeleucoryx.exe

pid	Process
3972	6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe
3972	6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe
2016	leucoryx.exe
2016	leucoryx.exe
2016	leucoryx.exe
4524	leucoryx.exe
4524	leucoryx.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exeleucoryx.exeleucoryx.exe

description	pid	Process	procid_target
PID 3972 wrote to memory of 2016	3972	6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe	86
PID 3972 wrote to memory of 2016	3972	6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe	86
PID 3972 wrote to memory of 2016	3972	6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe	86
PID 2016 wrote to memory of 4816	2016	leucoryx.exe	88
PID 2016 wrote to memory of 4816	2016	leucoryx.exe	88
PID 2016 wrote to memory of 4816	2016	leucoryx.exe	88
PID 2016 wrote to memory of 4524	2016	leucoryx.exe	89
PID 2016 wrote to memory of 4524	2016	leucoryx.exe	89
PID 2016 wrote to memory of 4524	2016	leucoryx.exe	89
PID 4524 wrote to memory of 2800	4524	leucoryx.exe	93
PID 4524 wrote to memory of 2800	4524	leucoryx.exe	93
PID 4524 wrote to memory of 2800	4524	leucoryx.exe	93
PID 4524 wrote to memory of 2800	4524	leucoryx.exe	93

C:\Users\Admin\AppData\Local\Temp\6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe
"C:\Users\Admin\AppData\Local\Temp\6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Keily\leucoryx.exe
  "C:\Users\Admin\AppData\Local\Temp\6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530.exe"
    3⤵
    PID:4816
- - C:\Users\Admin\AppData\Local\Keily\leucoryx.exe
    "C:\Users\Admin\AppData\Local\Keily\leucoryx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Keily\leucoryx.exe"
      4⤵
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Keily\leucoryx.exe

Filesize
1.7MB

MD5
1d572147e37c4766851afec9c30aacf9

SHA1
cee9e2191859ccbbb259329684bd1849056a3622

SHA256
6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530

SHA512
24f30d63ff61f729af2f84558b5f42778921be921706e182cbf58aa12637c44bc3967ec8e29583924791724b1af54db697a22bea4b8a02bede1cb21ed9f453c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB7E6.tmp

Filesize
1.0MB

MD5
8c0eddbbe2a56eebe17ab20b1dbd181d

SHA1
948d7336640aa0c042cfe3f1d987e923b0d3d50e

SHA256
82ab1b25d492c640341721d38785fd932bf9a93926addb2cdae6180f6b8ae4a7

SHA512
2219e2ce2a0cfea5fe9574e6d60bd3aefaf4cd83e2bd448ff31891983ce6d31d7d4e9b5ded5c4c3a028faa7c4585a5e934826ef8895c5cd45a32bcadc79515af

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB845.tmp

Filesize
14KB

MD5
371ab0edf7e7af86b061f0172ed91bfb

SHA1
c5cce53a5e1f52ccecaadb9b03fa9f596848ba63

SHA256
3346c05c20bb6a0e4f15d8769f6219eef5b12c69c0fa81e40d089200cd951efc

SHA512
614e0a223183349583717d43ae758f1ec3ed714485bdd10d147c192945e88aa32817d835396edca36ac0d6f31cb7695c0a5a0559aeedf8903ba4caa5d3be961b

Download Submit
C:\Users\Admin\AppData\Local\Temp\misrun

Filesize
1.5MB

MD5
fa426b72f63fd9287636e7e4ba1e0483

SHA1
376d7665be7ba5a0676647d2c0ea053b741722bb

SHA256
c7ba59a9365363ac2b0e0816073c8bab9f70ce8493fed74e8078a589cf82fd42

SHA512
40738a48fefa98abac626951b7f741fb0b05c578454c1227cde14b048ef5765930fc52dcf018b1cac5f693c195bf5a0bb46d9dd9c1479e7528cafb5f551b53b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\misrun

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\renowner

Filesize
140KB

MD5
a939bf44771dcb9e74e043255059a6ad

SHA1
aa5434381ba69b69acec1715a5eaf8f78bd694fb

SHA256
56ff08e6c414a9704e2fb8666cf3a5e628453fc4493e84bc88614490c674c335

SHA512
25037b30c80b05fec07f59ff7d870ec8bc85c85086b21cb7a923c31021860354b7e699b3d0feb74837372e3253c2e2380de81fefc30637d6a5e9ef5b9b23be1a

Download Submit
memory/2016-29-0x0000000003C20000-0x0000000003E20000-memory.dmp

Filesize
2.0MB

Download
memory/2800-73-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-57-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-46-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-47-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-48-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-49-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-50-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-51-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-52-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-53-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-54-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-55-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-56-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-77-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-58-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-59-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-60-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-61-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-62-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-63-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-64-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-65-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-66-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-67-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-78-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-69-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-70-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-71-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-72-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-111-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-74-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-75-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-84-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-110-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-68-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-79-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-80-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-81-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-82-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-83-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-76-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-85-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-86-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-87-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-88-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-89-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-90-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-91-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-92-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-93-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-94-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-95-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-96-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-97-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-98-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-99-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-100-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-101-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-102-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-103-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-104-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-105-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-106-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-107-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-108-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2800-109-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3972-11-0x0000000003EB0000-0x0000000003FB0000-memory.dmp

Filesize
1024KB

Download
memory/4524-45-0x0000000002FD0000-0x00000000030D0000-memory.dmp

Filesize
1024KB

Download