remcos | 530d877fd245da9636806e92b1b3271ccbdb89c4e08e534171469b70f2f7dc7a

General

Target

Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
Size

760KB
MD5

20d75709d275ee9fc5b559e50ae667c3
SHA1

27b41abb5cf6a0492fbd44db949ed78629548ee6
SHA256

530d877fd245da9636806e92b1b3271ccbdb89c4e08e534171469b70f2f7dc7a
SHA512

0987ce0ae8d3447034f76b11ab618b8b92f73d0e5ed50d2e5a0ba204f0a8cf830ed4795abbeebe72c035ecfa3e96391756cda8cb7f064f183cdb4554510be64f
SSDEEP

12288:GtomEHbPc17d211S7nu/s6dSf/5vJ6UuWsz6MNwXLLKqKUGpjSvI0Z:TN7Pi7Iw1aSz6n16ewXLu9UKjSvI0Z

Score

10^/10

remcos remotehost collection discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

162.251.122.87:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UOMZ21
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 8 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2516-602-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2464-600-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2516-599-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2464-598-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/344-606-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/344-607-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2464-613-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2516-617-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2516-602-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2516-599-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2516-617-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2464-600-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2464-598-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2464-613-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Loads dropped DLL 2 IoCs

pid	Process
1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 2156	1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	30
PID 2156 set thread context of 2464	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	32
PID 2156 set thread context of 2516	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	33
PID 2156 set thread context of 344	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2464	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
2464	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2156	1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	30
PID 1444 wrote to memory of 2156	1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	30
PID 1444 wrote to memory of 2156	1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	30
PID 1444 wrote to memory of 2156	1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	30
PID 1444 wrote to memory of 2156	1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	30
PID 1444 wrote to memory of 2156	1444	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	30
PID 2156 wrote to memory of 2464	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	32
PID 2156 wrote to memory of 2464	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	32
PID 2156 wrote to memory of 2464	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	32
PID 2156 wrote to memory of 2464	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	32
PID 2156 wrote to memory of 2516	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	33
PID 2156 wrote to memory of 2516	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	33
PID 2156 wrote to memory of 2516	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	33
PID 2156 wrote to memory of 2516	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	33
PID 2156 wrote to memory of 344	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	34
PID 2156 wrote to memory of 344	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	34
PID 2156 wrote to memory of 344	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	34
PID 2156 wrote to memory of 344	2156	Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe	34

C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wuadblithcscazi"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe" /stext "C:\Users\Admin\AppData\Local\Temp\honocdtvdkkpdfeqxkb"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jqtgcodorsctntsuguorhm"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
902e4fb71446d519622e39bba7ac1a6d

SHA1
c202d6bc98efdef0f3f806cb85b3cb840b265e30

SHA256
e6dd3cdf3ee3a514096697ae895072d27542863f4918c37e754a2b3396a655a1

SHA512
d1505a92ae91ca858e054d6a364cbf1b94068a0892fd9dd421dc79692034c3247c2944a72930840cd29e0017c591738db46f4da839160376f53996986e6767b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4AD8.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4B96.tmp

Filesize
60B

MD5
7ed75a71351bfc4eaabfc06754e83a71

SHA1
b588df2f060e1356e9950344d31dc8b566ea5e43

SHA256
2d45fd2175ad61122ca69dc5fb613b7cfc525c489f08942b81c9f7546ab303c6

SHA512
2e92b886fb3149912a627bdccada189179aa7e04600177def15270b7346e0da45db52ddaa75e9e6d40458c8d0bba870cfceda39c160865060d4f11f11b9f6a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4B18.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4C91.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuadblithcscazi

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\nst4AE8.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
memory/344-605-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-607-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-606-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-604-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1444-578-0x0000000077370000-0x0000000077519000-memory.dmp

Filesize
1.7MB

Download
memory/1444-577-0x0000000077371000-0x0000000077472000-memory.dmp

Filesize
1.0MB

Download
memory/2156-622-0x0000000038060000-0x0000000038079000-memory.dmp

Filesize
100KB

Download
memory/2156-579-0x0000000077370000-0x0000000077519000-memory.dmp

Filesize
1.7MB

Download
memory/2156-645-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-642-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-639-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-636-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-633-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-630-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-627-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-624-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-580-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-590-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-623-0x0000000038060000-0x0000000038079000-memory.dmp

Filesize
100KB

Download
memory/2156-585-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2156-619-0x0000000038060000-0x0000000038079000-memory.dmp

Filesize
100KB

Download
memory/2464-613-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2464-595-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2464-592-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2464-598-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2464-600-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2464-601-0x0000000077370000-0x0000000077519000-memory.dmp

Filesize
1.7MB

Download
memory/2516-617-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2516-593-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2516-597-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2516-599-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2516-602-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2516-603-0x0000000077370000-0x0000000077519000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing