remcos | bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178f

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17/11/2024, 14:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
Size

916KB
MD5

7c9117e9ec6db111cf1f67d512b5e800
SHA1

8b88b24bf4893a9c1dff2f79425f4cbea4a79bd5
SHA256

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178f
SHA512

a4cf30a429ebb4f2533538f51ef0314f7993b653a5989bac51d944eb4c163dc16745e858ddc81bbe400bce80f4ee839fb876abacc1dede69b491375fd0767cb2
SSDEEP

24576:bMyqk7d8gE/KTudG5Zl75eJzKo8BYttZ7npS4d:XZ8gE/KSdyT5u+fB6TpSo

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

alibabaforwader.duckdns.org:60247

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6XDESO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2556	powershell.exe
2712	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
2556	powershell.exe
2712	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2712	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	31
PID 2996 wrote to memory of 2712	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	31
PID 2996 wrote to memory of 2712	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	31
PID 2996 wrote to memory of 2712	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	31
PID 2996 wrote to memory of 2556	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	33
PID 2996 wrote to memory of 2556	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	33
PID 2996 wrote to memory of 2556	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	33
PID 2996 wrote to memory of 2556	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	33
PID 2996 wrote to memory of 2564	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	35
PID 2996 wrote to memory of 2564	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	35
PID 2996 wrote to memory of 2564	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	35
PID 2996 wrote to memory of 2564	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	35
PID 2996 wrote to memory of 2356	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	37
PID 2996 wrote to memory of 2356	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	37
PID 2996 wrote to memory of 2356	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	37
PID 2996 wrote to memory of 2356	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	37
PID 2996 wrote to memory of 2080	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	38
PID 2996 wrote to memory of 2080	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	38
PID 2996 wrote to memory of 2080	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	38
PID 2996 wrote to memory of 2080	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	38
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39
PID 2996 wrote to memory of 1704	2996	bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe	39

C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
"C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pNlkzRsCluNDj.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNlkzRsCluNDj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD308.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
  "C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"
  2⤵
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
  "C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"
  2⤵
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe
  "C:\Users\Admin\AppData\Local\Temp\bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1704

Network

DNS

alibabaforwader.duckdns.org

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

Remote address:

8.8.8.8:53

Request

alibabaforwader.duckdns.org

IN A

Response

alibabaforwader.duckdns.org

IN A

192.169.69.26
DNS

alibabaforwader.duckdns.org

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

Remote address:

8.8.8.8:53

Request

alibabaforwader.duckdns.org

IN A

Response

alibabaforwader.duckdns.org

IN A

192.169.69.26

192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

alibabaforwader.duckdns.org

tls

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

304 B
88 B
3
2
192.169.69.26:60247

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

8.8.8.8:53

alibabaforwader.duckdns.org

dns

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

73 B
89 B
1
1

DNS Request

alibabaforwader.duckdns.org

DNS Response

192.169.69.26
8.8.8.8:53

alibabaforwader.duckdns.org

dns

bb4bf3eb6ca4a9b81bf741b5d85d82127c8b8e716637e7d37450980c28f0178fN.exe

73 B
89 B
1
1

DNS Request

alibabaforwader.duckdns.org

DNS Response

192.169.69.26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
db5c99165c97b6ebb4631a4b8a722314

SHA1
992b11cc3647961e2db1b1427ac0b44e48cff822

SHA256
cb00967f3dab226ed269b8a8173123696221533bf5f918170ef76449b41874db

SHA512
ef681cfaf1feb986bfe312a9c887381b76b662c8346e642f0cb705dfd377047d43d417e43a97716633c1e134a99b35e3f6aa0f13ef81785af512272b8ae17b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD308.tmp

Filesize
1KB

MD5
5257e9afa22fcea88d5b6ed4a204c3cb

SHA1
b845371f8f35c23ee5570400c0c0616af3f54105

SHA256
7d8cace133d9d7977d548f07eb4ae1004b315c7296be00ba08a64c7ceddd6d24

SHA512
229e6687d52208d85be521c13629effccb91e8eae980dd85fa4d22cbf8a4e18f1132b536c2230553985357f0166ae8f81d392f161897fdcaa9c213e10587165b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ec6fd60c69064eaf4ffbefc8f4490342

SHA1
c5f6737fd83cbe564c220f595b41933d108518e2

SHA256
f764837eb744bcfe6ecc1837c80f3ea02d30562ffe00e364589eeea7d24326f9

SHA512
3fbf6cf718538fad95a4ffbafdbfc4f2417cdc7a69fdc5d6d142151bcc0fe5fa4d0662fbf58b2a450d717d3ecee2ceebe3fb7f495cf18b368599cba20927cef5

Download Submit
memory/1704-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1704-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2996-38-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2996-6-0x0000000005FC0000-0x0000000006082000-memory.dmp

Filesize
776KB

Download
memory/2996-5-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2996-4-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download
memory/2996-3-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2996-2-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2996-1-0x0000000000DF0000-0x0000000000EDC000-memory.dmp

Filesize
944KB

Download
memory/2996-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.