remcos | 6bcefb0164c0ef29720dce27bd19ac87d81d6fb3393235050a5e31cbf2fe64c7

Resubmissions

26-11-2024 04:31

241126-e5gp3a1mbj 10

21-10-2024 21:18

241021-z5yzkaxcng 10

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

validClient_debug/EASteamProxy.exe
Size

5.4MB
MD5

ad2735f096925010a53450cb4178c89e
SHA1

c6d65163c6315a642664f4eaec0fae9528549bfe
SHA256

4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e
SHA512

1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9
SSDEEP

98304:o/zx+riUDpJowboU+XEsumY2XW6jBYeZ1ER:2x+riUDwUj12X1tY5

Score

10^/10

remcos octubre 21 muchacha discovery rat

Malware Config

Extracted

Family

remcos

Botnet

OCTUBRE 21 MUCHACHA

restaurantes.pizzafshaioin.info:5508

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
viduxilita
mouse_option
false
mutex
foneggrasd-0IBRGD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 1 IoCs

pid	Process
4676	EASteamProxy.exe

Loads dropped DLL 12 IoCs

pid	Process
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
512	Checksync_test.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 3020	4676	EASteamProxy.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Checksync_test.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4560	EASteamProxy.exe
4676	EASteamProxy.exe
4676	EASteamProxy.exe
3020	cmd.exe
3020	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4676	EASteamProxy.exe
3020	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
512	Checksync_test.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4676	4560	EASteamProxy.exe	82
PID 4560 wrote to memory of 4676	4560	EASteamProxy.exe	82
PID 4676 wrote to memory of 3020	4676	EASteamProxy.exe	83
PID 4676 wrote to memory of 3020	4676	EASteamProxy.exe	83
PID 4676 wrote to memory of 3020	4676	EASteamProxy.exe	83
PID 4676 wrote to memory of 3020	4676	EASteamProxy.exe	83
PID 3020 wrote to memory of 512	3020	cmd.exe	92
PID 3020 wrote to memory of 512	3020	cmd.exe	92
PID 3020 wrote to memory of 512	3020	cmd.exe	92
PID 3020 wrote to memory of 512	3020	cmd.exe	92
PID 3020 wrote to memory of 512	3020	cmd.exe	92
PID 3020 wrote to memory of 512	3020	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\validClient_debug\EASteamProxy.exe
"C:\Users\Admin\AppData\Local\Temp\validClient_debug\EASteamProxy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Roaming\validClient_debug\EASteamProxy.exe
  C:\Users\Admin\AppData\Roaming\validClient_debug\EASteamProxy.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\Checksync_test.exe
      C:\Users\Admin\AppData\Local\Temp\Checksync_test.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\viduxilita\logs.dat

Filesize
144B

MD5
eb60958f75b9c678c02f87aad94cf79e

SHA1
54dc1f46408fa3a7c4307d656f7fef17db619edb

SHA256
8b4e22cdb7fd096b8c04b8498b8b0288feb1754d04e65a943ab5beb75a953ff4

SHA512
7bbc373a288920833f58129959e0e5c7714f515f0b4ee637f8314914a95d3917216611eabe9352b091f77932244ca66eed6055b4c9224d19ebe198c715036a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checksync_test.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Users\Admin\AppData\Local\Temp\fef639f9

Filesize
1.6MB

MD5
f6a85a671babb4904c60f02ee2097a5b

SHA1
d388d75ac95dabca90a8c51fe8c717ddc6bad62f

SHA256
ffc118861b6371a08e7ae10dfe8e81b7f7114a4f41c95d39b9956d3303de1d95

SHA512
ed997847451f2b59cf7bd6470973f1c74d6ce03565ec02d4ebf435812abc000748928c9e146bc2ebc29f0c912c3b5161f1bfd861e22450b9084aa535aff745b4

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\EASteamProxy.exe

Filesize
5.4MB

MD5
ad2735f096925010a53450cb4178c89e

SHA1
c6d65163c6315a642664f4eaec0fae9528549bfe

SHA256
4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e

SHA512
1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\Qt5Core.dll

Filesize
6.0MB

MD5
68e600cb754e04557ef716b9ebc93fe4

SHA1
8302ab611e787c312b971ce05935ff6e956faede

SHA256
8f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42

SHA512
8bbd7d14b59f01eba7c46a6e8592c037cab73bed1eb0762fc278cf7b81082784e88d777a32f71bc2de128c0186321004bfa4ca68d1bcaa5660694c007219e98e

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\Qt5Network.dll

Filesize
1.3MB

MD5
2990907dd15b4c582149799aa88bceec

SHA1
9be8e653197ed61e5eae8a6e9131f14ca30cde6f

SHA256
84eb13c146bb9dc19f9add8673c5fba7dd04856082c0d74939d54dfe1927c285

SHA512
770ee8480f591ef0fe3a04c5547af7412cfd4badef9976870b1c21fb91a41f380ee7a6342abb9f0af5f33346ee8257e59eaae3bca771d81d4419ed126991b3c8

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\libcrypto-1_1-x64.dll

Filesize
2.7MB

MD5
28dea3e780552eb5c53b3b9b1f556628

SHA1
55dccd5b30ce0363e8ebdfeb1cca38d1289748b8

SHA256
52415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8

SHA512
19dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\libssl-1_1-x64.dll

Filesize
669KB

MD5
4ad03043a32e9a1ef64115fc1ace5787

SHA1
352e0e3a628c8626cff7eed348221e889f6a25c4

SHA256
a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1

SHA512
edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\msvcp140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\msvcp140_1.dll

Filesize
34KB

MD5
69d96e09a54fbc5cf92a0e084ab33856

SHA1
b4629d51b5c4d8d78ccb3370b40a850f735b8949

SHA256
a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee

SHA512
2087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\qfuepg

Filesize
1.1MB

MD5
b044ecaee7b518035237a18271d723d4

SHA1
bba6e07ffcef8768fe21ff0b1d24c09ce0e0f51c

SHA256
e70bd827ba2610f5f0652d3f215e75a7662c0090499bba749341149536a12ebd

SHA512
4d17a2e9bbea523c16136edd772fbd19b316c2bc3ddad021d0051bab6f43222f4318a91af9dc7530d83a31e60b2fed4df44fb959d792c5bde6818f3fe07e4353

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\steam_api64.dll

Filesize
291KB

MD5
6b4ab6e60364c55f18a56a39021b74a6

SHA1
39cac2889d8ca497ee0d8434fc9f6966f18fa336

SHA256
1db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3

SHA512
c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\tku

Filesize
73KB

MD5
3ddf30874fc12afe2b4b26085a71e663

SHA1
0c1f0c70ca6bfe370c35db3fe4f54dcdfba3c8a3

SHA256
3d0b0567bf610d50c20374b0238508b711c2bd2227b5d7b643af4a40466cce0f

SHA512
e75df04cf449647af8eb2d9413918e2fd978a9511259c2177b4c4b434ecbe392c99467812e71ca5b472c5ebee0d135a5b6639f20663943d91652f93e4363c557

Download Submit
C:\Users\Admin\AppData\Roaming\validClient_debug\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
memory/512-73-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-76-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-94-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-91-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-88-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-85-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-82-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-55-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-57-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

Filesize
2.0MB

Download
memory/512-58-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-61-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-64-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-79-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-67-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/512-70-0x0000000000490000-0x0000000000514000-memory.dmp

Filesize
528KB

Download
memory/3020-48-0x00000000758A0000-0x0000000075A1B000-memory.dmp

Filesize
1.5MB

Download
memory/3020-45-0x00000000758A0000-0x0000000075A1B000-memory.dmp

Filesize
1.5MB

Download
memory/3020-44-0x00007FFDDAD50000-0x00007FFDDAF45000-memory.dmp

Filesize
2.0MB

Download
memory/4560-0-0x00007FFDCC1C0000-0x00007FFDCC332000-memory.dmp

Filesize
1.4MB

Download
memory/4676-41-0x00007FFDBCE90000-0x00007FFDBD002000-memory.dmp

Filesize
1.4MB

Download
memory/4676-38-0x00007FFDBCE90000-0x00007FFDBD002000-memory.dmp

Filesize
1.4MB

Download
memory/4676-40-0x00007FFDBCE90000-0x00007FFDBD002000-memory.dmp

Filesize
1.4MB

Download
memory/4676-39-0x00007FFDBCEA9000-0x00007FFDBCEAA000-memory.dmp

Filesize
4KB

Download