remcos | 0e0e4917d553e3bd7c39d4180c498c9052e171be7db2e1fdc6d47099482e44ce

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMIBCP/AMIBCP.exe
Size

3.0MB
MD5

04ff3875bd4aaf9b1b97c44e63512e08
SHA1

7fead1d77557785fbf4d34883af8136106a8f4ae
SHA256

41e23bfeda59c1c9a4aab2d30fb6e277b92ca56eca438888d1415c6def82452c
SHA512

cc4fe3a7718836d689fcda9d690ddd1cd0cbfc4482bf961a7e9acf9c60c2572f94e2190b883de08a2cbcd34ed6b6d53b9483a597cd39c2d0a1465b825dfdfc14
SSDEEP

49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338t:t92bz2Eb6pd7B6bAGx7n333S

Score

10^/10

remcos new discovery rat

Malware Config

Extracted

Family

remcos

Botnet

New

185.183.32.159:7172

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
UuUuUUu333215s-7Q8DFP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2912	AMIBCP.exe
2596	ICQ.exe

Loads dropped DLL 14 IoCs

pid	Process
2140	AMIBCP.exe
2140	AMIBCP.exe
2140	AMIBCP.exe
2596	ICQ.exe
2596	ICQ.exe
2596	ICQ.exe
2596	ICQ.exe
2596	ICQ.exe
2596	ICQ.exe
2596	ICQ.exe
2596	ICQ.exe
2596	ICQ.exe
2596	ICQ.exe
332	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 332	2596	ICQ.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMIBCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMIBCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMIBCP.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2140	AMIBCP.exe
2140	AMIBCP.exe
2596	ICQ.exe
332	cmd.exe
332	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2596	ICQ.exe
332	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	AMIBCP.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2912	AMIBCP.exe
2912	AMIBCP.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2140	1700	AMIBCP.exe	28
PID 1700 wrote to memory of 2140	1700	AMIBCP.exe	28
PID 1700 wrote to memory of 2140	1700	AMIBCP.exe	28
PID 1700 wrote to memory of 2140	1700	AMIBCP.exe	28
PID 1700 wrote to memory of 2140	1700	AMIBCP.exe	28
PID 1700 wrote to memory of 2140	1700	AMIBCP.exe	28
PID 1700 wrote to memory of 2140	1700	AMIBCP.exe	28
PID 2140 wrote to memory of 2912	2140	AMIBCP.exe	29
PID 2140 wrote to memory of 2912	2140	AMIBCP.exe	29
PID 2140 wrote to memory of 2912	2140	AMIBCP.exe	29
PID 2140 wrote to memory of 2912	2140	AMIBCP.exe	29
PID 2140 wrote to memory of 2596	2140	AMIBCP.exe	30
PID 2140 wrote to memory of 2596	2140	AMIBCP.exe	30
PID 2140 wrote to memory of 2596	2140	AMIBCP.exe	30
PID 2140 wrote to memory of 2596	2140	AMIBCP.exe	30
PID 2596 wrote to memory of 332	2596	ICQ.exe	31
PID 2596 wrote to memory of 332	2596	ICQ.exe	31
PID 2596 wrote to memory of 332	2596	ICQ.exe	31
PID 2596 wrote to memory of 332	2596	ICQ.exe	31
PID 2596 wrote to memory of 332	2596	ICQ.exe	31
PID 332 wrote to memory of 1936	332	cmd.exe	33
PID 332 wrote to memory of 1936	332	cmd.exe	33
PID 332 wrote to memory of 1936	332	cmd.exe	33
PID 332 wrote to memory of 1936	332	cmd.exe	33
PID 332 wrote to memory of 1936	332	cmd.exe	33
PID 332 wrote to memory of 1936	332	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\AMIBCP\AMIBCP.exe
"C:\Users\Admin\AppData\Local\Temp\AMIBCP\AMIBCP.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\AMIBCP\AMIBCP.exe
  "C:\Users\Admin\AppData\Local\Temp\AMIBCP\AMIBCP.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Roaming\AMIBCP\AMIBCP.exe
    "C:\Users\Admin\AppData\Roaming\AMIBCP\AMIBCP.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2912
- - C:\Users\Admin\AppData\Roaming\ICQ.exe
    "C:\Users\Admin\AppData\Roaming\ICQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a2987d7

Filesize
1.1MB

MD5
5ec7f0619b3fc08495b3b249972cba1c

SHA1
ee7d601d95b885b1cdb551e54315f8adbac01e23

SHA256
d0c7642e3f872180862b51f7b2f890405e1dc949fcca06084e2954bd81e15ce8

SHA512
e0b89e4c7e365c5d8b4e97ae623b9ccafa958b18e213393cc6062e34881b9e88c393bfc34e48ec0f41623115d6ad8cf39bbe22a217f366de3d68aab289305603

Download Submit
C:\Users\Admin\AppData\Roaming\MCoreLib.dll

Filesize
106KB

MD5
815b07c37c83b13457d37ca8c6a7a561

SHA1
746138b85e5611fd058c008411889a15870083cd

SHA256
153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

SHA512
8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

Download Submit
C:\Users\Admin\AppData\Roaming\MDb.dll

Filesize
205KB

MD5
580fdcf4c38b155708fcfc2fc375b287

SHA1
63d689b601037f7a272cfc3b88fcd892d7391764

SHA256
2e5f2d3e4544b318152ee7b00a47f664b7414941ae284deb41ead1f09ac63475

SHA512
a691ce52cf62410148ff9a8e83f43930601d2053f0b0516f1923e9e5408d7a78a6eafb843c61078a3b99993fa616c612fdffc6d836599793c56984fa8d0519fc

Download Submit
C:\Users\Admin\AppData\Roaming\MSVCP71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Users\Admin\AppData\Roaming\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Roaming\MUICoreLib.dll

Filesize
824KB

MD5
60a5383ba17d8f519cb4356e28873a14

SHA1
6bf70393d957320a921226c7fcdf352a0a67442d

SHA256
80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

SHA512
a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

Download Submit
C:\Users\Admin\AppData\Roaming\MUIUtils.dll

Filesize
385KB

MD5
97d6efb8b8e0b0f03701a7bafc398545

SHA1
0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

SHA256
51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

SHA512
2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

Download Submit
C:\Users\Admin\AppData\Roaming\MUtils.dll

Filesize
619KB

MD5
6da9a492898b66db78f5c9d3fc7ecc64

SHA1
d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

SHA256
50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

SHA512
11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

Download Submit
C:\Users\Admin\AppData\Roaming\barbotine.pdf

Filesize
924KB

MD5
6a13d0c301e89364981d825e5009af91

SHA1
612e89dbb49911b85f20ea0f3d3dd029489a9068

SHA256
be894a071695fe0f2b61cc67bbc5f45947099ab673ed76a5fd53bc08151f8582

SHA512
4890b519681a790008313162674d402c982d9fca7d4265405eb9ec77cbb0d19a991d353a3d0f0f28f1182f7187175ee9f15967daea5a62e5c4863ab86aa31de3

Download Submit
C:\Users\Admin\AppData\Roaming\coolcore49.dll

Filesize
764KB

MD5
4f27d1bacaf09d1919484355b341c868

SHA1
f1be78d484235270a1416c6acb20e2915ae050db

SHA256
12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

SHA512
328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

Download Submit
\Users\Admin\AppData\Roaming\AMIBCP\AMIBCP.exe

Filesize
628KB

MD5
6aaa17db2020e48b54eb76df4c2a586a

SHA1
f9d3df954a43e66744ca028fe38c7753188a9164

SHA256
3f90e402dab9f64cbc4514e18bc2625ec7672da806cd9e0ef2e803b0ce104a01

SHA512
98d92fcfe554651ea4525e2be3a1e32af6547da94aee4bfdbca9fb4d67b88357d6bf57ab3580d666dd5f1c08a280658067cff1c66482d09f9460403c5e197f93

Download Submit
\Users\Admin\AppData\Roaming\ICQ.exe

Filesize
168KB

MD5
aef6452711538d9021f929a2a5f633cf

SHA1
205b7fab75e77d1ff123991489462d39128e03f6

SHA256
e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

SHA512
7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

Download Submit
\Users\Admin\AppData\Roaming\MKernel.dll

Filesize
219KB

MD5
98a71909605b7d088f82d66abc64d4c2

SHA1
1e250127851a331dd914215348ef51fff78442c9

SHA256
46410947d60a8b92869aa2cf27b57a94c710047f168ac3bc23879a8461f8686a

SHA512
efa8e407e3fbfb81da07b584b8bbd2a440074388ae3ff6175abc88614b42b53ca70206e7ada00273457fafac58d7729f1c945a9e79ce793bc48229035194b267

Download Submit
\Users\Admin\AppData\Roaming\xprt6.dll

Filesize
244KB

MD5
d145903e217ddde20ce32ed9e5074e16

SHA1
bdb3265d872f446d7445aae4f2d0beba5dae3bd8

SHA256
9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4

SHA512
00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

Download Submit
memory/332-120-0x0000000073B20000-0x0000000073C94000-memory.dmp

Filesize
1.5MB

Download
memory/332-73-0x0000000076E40000-0x0000000076FE9000-memory.dmp

Filesize
1.7MB

Download
memory/1700-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1700-3-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/1936-129-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-133-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-137-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-136-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-135-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-122-0x0000000076E40000-0x0000000076FE9000-memory.dmp

Filesize
1.7MB

Download
memory/1936-123-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-127-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-128-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-134-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-130-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-131-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/1936-132-0x0000000000150000-0x00000000001D3000-memory.dmp

Filesize
524KB

Download
memory/2140-68-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2596-70-0x0000000073B20000-0x0000000073C94000-memory.dmp

Filesize
1.5MB

Download
memory/2596-62-0x00000000002F0000-0x0000000000353000-memory.dmp

Filesize
396KB

Download
memory/2596-67-0x0000000073B20000-0x0000000073C94000-memory.dmp

Filesize
1.5MB

Download
memory/2596-69-0x0000000076E40000-0x0000000076FE9000-memory.dmp

Filesize
1.7MB

Download