remcos | 6027eb649c27aa6c1ee848061c7733403a250a40989c4fdee84e7ffee3811cf7

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InspectorNvidiaPro-64.exe
Size

1.6MB
MD5

912c89ac3e4ab699bd11cd2fc5da0bb2
SHA1

cd1499b70f084dca31343adb170fe3f618bd5933
SHA256

01f24017584c20793bdb7a066a1054b4474310ccda8ddd19a9521aa7cb0708ba
SHA512

b7fcf3222e862afae298ab32ba82be3fa90b01fc04f66c3a4e6b2b9e1f6556e15be9b8f331b0f466dcd1be127d14d2fa0ad711bcea46e0485454a53642c74ccd
SSDEEP

24576:j7FUDowAyrTVE3U5FEimXsOKK56BCObsE6UtoZmUd2N6xSIJQRn+KAXu:jBuZrEUzmXb0CUj1Ud2sMnNJ

Score

10^/10

remcos 5003 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

5003

92.255.85.63:5003

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7Z8WNB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 5 IoCs

pid	Process
1496	InspectorNvidiaPro-64.tmp
2832	InspectorNvidiaPro-64.tmp
2968	nvidiaInspector.exe
1364	IDRService.exe
1544	IDRService.exe

Loads dropped DLL 12 IoCs

pid	Process
1456	InspectorNvidiaPro-64.exe
1496	InspectorNvidiaPro-64.tmp
2248	InspectorNvidiaPro-64.exe
2832	InspectorNvidiaPro-64.tmp
2832	InspectorNvidiaPro-64.tmp
2832	InspectorNvidiaPro-64.tmp
1364	IDRService.exe
1364	IDRService.exe
1364	IDRService.exe
1544	IDRService.exe
1544	IDRService.exe
2068	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 2068	1544	IDRService.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDRService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDRService.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2832	InspectorNvidiaPro-64.tmp
2832	InspectorNvidiaPro-64.tmp
1364	IDRService.exe
1544	IDRService.exe
1544	IDRService.exe
2068	cmd.exe
2068	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1544	IDRService.exe
2068	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	InspectorNvidiaPro-64.tmp

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1496	1456	InspectorNvidiaPro-64.exe	29
PID 1456 wrote to memory of 1496	1456	InspectorNvidiaPro-64.exe	29
PID 1456 wrote to memory of 1496	1456	InspectorNvidiaPro-64.exe	29
PID 1456 wrote to memory of 1496	1456	InspectorNvidiaPro-64.exe	29
PID 1456 wrote to memory of 1496	1456	InspectorNvidiaPro-64.exe	29
PID 1456 wrote to memory of 1496	1456	InspectorNvidiaPro-64.exe	29
PID 1456 wrote to memory of 1496	1456	InspectorNvidiaPro-64.exe	29
PID 1496 wrote to memory of 2248	1496	InspectorNvidiaPro-64.tmp	30
PID 1496 wrote to memory of 2248	1496	InspectorNvidiaPro-64.tmp	30
PID 1496 wrote to memory of 2248	1496	InspectorNvidiaPro-64.tmp	30
PID 1496 wrote to memory of 2248	1496	InspectorNvidiaPro-64.tmp	30
PID 2248 wrote to memory of 2832	2248	InspectorNvidiaPro-64.exe	31
PID 2248 wrote to memory of 2832	2248	InspectorNvidiaPro-64.exe	31
PID 2248 wrote to memory of 2832	2248	InspectorNvidiaPro-64.exe	31
PID 2248 wrote to memory of 2832	2248	InspectorNvidiaPro-64.exe	31
PID 2248 wrote to memory of 2832	2248	InspectorNvidiaPro-64.exe	31
PID 2248 wrote to memory of 2832	2248	InspectorNvidiaPro-64.exe	31
PID 2248 wrote to memory of 2832	2248	InspectorNvidiaPro-64.exe	31
PID 2832 wrote to memory of 2968	2832	InspectorNvidiaPro-64.tmp	32
PID 2832 wrote to memory of 2968	2832	InspectorNvidiaPro-64.tmp	32
PID 2832 wrote to memory of 2968	2832	InspectorNvidiaPro-64.tmp	32
PID 2832 wrote to memory of 2968	2832	InspectorNvidiaPro-64.tmp	32
PID 2832 wrote to memory of 1364	2832	InspectorNvidiaPro-64.tmp	34
PID 2832 wrote to memory of 1364	2832	InspectorNvidiaPro-64.tmp	34
PID 2832 wrote to memory of 1364	2832	InspectorNvidiaPro-64.tmp	34
PID 2832 wrote to memory of 1364	2832	InspectorNvidiaPro-64.tmp	34
PID 1364 wrote to memory of 1544	1364	IDRService.exe	35
PID 1364 wrote to memory of 1544	1364	IDRService.exe	35
PID 1364 wrote to memory of 1544	1364	IDRService.exe	35
PID 1364 wrote to memory of 1544	1364	IDRService.exe	35
PID 1544 wrote to memory of 2068	1544	IDRService.exe	36
PID 1544 wrote to memory of 2068	1544	IDRService.exe	36
PID 1544 wrote to memory of 2068	1544	IDRService.exe	36
PID 1544 wrote to memory of 2068	1544	IDRService.exe	36
PID 1544 wrote to memory of 2068	1544	IDRService.exe	36
PID 2068 wrote to memory of 2072	2068	cmd.exe	38
PID 2068 wrote to memory of 2072	2068	cmd.exe	38
PID 2068 wrote to memory of 2072	2068	cmd.exe	38
PID 2068 wrote to memory of 2072	2068	cmd.exe	38
PID 2068 wrote to memory of 2072	2068	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe
"C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\is-D1DQD.tmp\InspectorNvidiaPro-64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D1DQD.tmp\InspectorNvidiaPro-64.tmp" /SL5="$40216,791552,0,C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe
    "C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\is-5URSB.tmp\InspectorNvidiaPro-64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5URSB.tmp\InspectorNvidiaPro-64.tmp" /SL5="$50216,791552,0,C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Users\Admin\AppData\Roaming\nvidiaInspector.exe
        
        "C:\Users\Admin\AppData\Roaming\nvidiaInspector.exe"
        5⤵
        Executes dropped EXE
        
        PID:2968
    - - C:\Users\Admin\AppData\Roaming\IDRService.exe
        
        "C:\Users\Admin\AppData\Roaming\IDRService.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Users\Admin\AppData\Roaming\KO_Power\IDRService.exe
        
        C:\Users\Admin\AppData\Roaming\KO_Power\IDRService.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64a8016b

Filesize
1.2MB

MD5
4ee76b1aecabfd690814afd3411e1f22

SHA1
350dae69bcdcf5787b3bc71fcb5c4341fa730654

SHA256
a10020719ab6e3dc27da9227daca82e48e6697c94a114fddebadf66499d103a0

SHA512
6de55a025838cee306754dc4bd65b3f54f7485925cb48ce71dae1161c03c5270e706a4b554f9c79d914e786fe9d236c66e9f4a8f576163ee3db0bc5d30b5ac49

Download Submit
C:\Users\Admin\AppData\Roaming\IDRService.exe

Filesize
1.6MB

MD5
ec539c4a9c60b3690fbd891e19333362

SHA1
7cd141b72d9c6701c27f939b790624ebe04668fd

SHA256
1d60149ce640f4e07bceeb8940950441025277f1eba4f501f8afe558030b34fe

SHA512
b6a3496e7b6f7aed5dcc7e0bb3fe903d2c231ff5470bbedd37e8bea83b1951dc835f32ac6508dea8b561bfd6354e7741227a42eb49fc0575ce64e12b494c00c1

Download Submit
C:\Users\Admin\AppData\Roaming\cde

Filesize
947KB

MD5
77a94cd64437ca28cdbb889864900dfe

SHA1
430575f9c462aceed520494ec5fb2087d999d420

SHA256
82823bd91c34e24b0b225075f0f69f9d2313e58df01862bccd3fcfbf5ae36733

SHA512
627b67ba09d7e25a7207b69630d3a1b2c5c2c3f93e47644ef61e057f8a0f68c62051a6cb75c05c8acd728b8122fd27e8529265635def1ac70a9290af65c8476f

Download Submit
C:\Users\Admin\AppData\Roaming\llnjxu

Filesize
16KB

MD5
b613ff11758faed863380d6a1e3abac0

SHA1
959fc450422dca5babbe1ef395f68e93724a4616

SHA256
120e44ed51661e0e86dc8c92cb78a6869192e4331376d7d62fe8287eb340215e

SHA512
cd1bdec448913f173f8204eaedbe862bbe7380480c3c629d88bfb1ef254ca9cbc191b8ee8a41c0648565a7429436bad698d06b9ed06a221ce0a85c9a2215f5c9

Download Submit
\Users\Admin\AppData\Local\Temp\is-D1DQD.tmp\InspectorNvidiaPro-64.tmp

Filesize
3.0MB

MD5
2ef50af4f6fbe0a32630f748382dfa1c

SHA1
88dd765da4dc6a867e3a81eb1bbc53cc1729ae98

SHA256
353f635294d95ba4a4fdfa10222aea50a085007003a9156ee7f50c0295b56b77

SHA512
d6f25178299b5a7f354dbb46a8cff0233ece08479e5b4fe05a31613597757813962fb1700509ec2d6264158c2b94ecb51a876a0d8009f01992f6c40db0e08890

Download Submit
\Users\Admin\AppData\Local\Temp\is-OJTH1.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
\Users\Admin\AppData\Roaming\datastate.dll

Filesize
59KB

MD5
92b8cc6f16f9455446cbf1d748a2a30f

SHA1
d0a2700230bd4f095d02ed0f533b3687b3e36767

SHA256
1a0bf6db185254e352e6bf47b9d86986cb9191339390e3b5f638b962d433d22c

SHA512
023a642123b3e056092b6550f14f2f6feaa9c5c6c3e2343732e4bee791946795df12bcdbcffb67e99eb5c1746e564be356b426aefb014190e6e0d3c72c671784

Download Submit
\Users\Admin\AppData\Roaming\nvidiaInspector.exe

Filesize
484KB

MD5
83c9984b29ee1f908b45a963cfb8adea

SHA1
bd20801c13ae2e9b7d6ee1b8835615d921f057eb

SHA256
4128026b5a096ee35198fa18db1f6c6d27a81096aac48bc86803e5ad8a2dea7a

SHA512
d3f388eac1eaf0ea4f723cf9a5f8defbe8d43d0082216d591fdff81e2bbc4fdf1ff16acbc5c45120d15edacca3058ff2ab9aa3be43f5e4daeb7764cfba9d93e7

Download Submit
\Users\Admin\AppData\Roaming\sqlite3.dll

Filesize
904KB

MD5
9d255e04106ba7dcbd0bcb549e9a5a4e

SHA1
a9becb85b181c37ee5a940e149754c1912a901f1

SHA256
02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5

SHA512
54c54787a4ca8643271169be403069bc5f1e319a55d6a0ebd84fb0d96f6e9bddc52b0908541d29db04a042b531abd6c05073e27b0b2753196e0055b8b8200b09

Download Submit
memory/1364-99-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Filesize
808KB

Download
memory/1364-86-0x0000000074AD0000-0x0000000074C44000-memory.dmp

Filesize
1.5MB

Download
memory/1364-98-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/1364-87-0x00000000775E0000-0x0000000077789000-memory.dmp

Filesize
1.7MB

Download
memory/1456-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1456-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1456-20-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1496-12-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/1496-18-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/1544-108-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/1544-110-0x0000000074950000-0x0000000074AC4000-memory.dmp

Filesize
1.5MB

Download
memory/1544-107-0x00000000775E0000-0x0000000077789000-memory.dmp

Filesize
1.7MB

Download
memory/1544-106-0x0000000074950000-0x0000000074AC4000-memory.dmp

Filesize
1.5MB

Download
memory/1544-109-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Filesize
808KB

Download
memory/2068-162-0x0000000074950000-0x0000000074AC4000-memory.dmp

Filesize
1.5MB

Download
memory/2068-115-0x00000000775E0000-0x0000000077789000-memory.dmp

Filesize
1.7MB

Download
memory/2072-164-0x00000000775E0000-0x0000000077789000-memory.dmp

Filesize
1.7MB

Download
memory/2072-168-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2072-165-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2248-16-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2248-51-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2248-79-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2832-52-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2832-77-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download