remcos | fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

Resubmissions

21/12/2024, 17:16 UTC

241221-vtc6hatpew 10

21/12/2024, 17:14 UTC

241221-vseb6strcn 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21/12/2024, 17:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveSourceInstaller.exe
Size

469KB
MD5

e468b718e67495ea73c85d8258059adf
SHA1

dcad70f5c39ab85f900ef1288067dbf51eaeb503
SHA256

fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e
SHA512

b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSJn9:uiLJbpI7I2WhQqZ7J9

Score

10^/10

remcos wavesourceleaked discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	WaveSourceInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
3520	remcos.exe
1348	remcos.exe
1716	remcos.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3520 set thread context of 3600	3520	remcos.exe	86
PID 1348 set thread context of 3800	1348	remcos.exe	100
PID 1716 set thread context of 2404	1716	remcos.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	WaveSourceInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
3520	remcos.exe
3520	remcos.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1348	remcos.exe
1348	remcos.exe
1796	taskmgr.exe
1796	taskmgr.exe
1716	remcos.exe
1716	remcos.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3520	remcos.exe
1348	remcos.exe
1716	remcos.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	taskmgr.exe
Token: SeSystemProfilePrivilege	1796	taskmgr.exe
Token: SeCreateGlobalPrivilege	1796	taskmgr.exe
Token: 33	1796	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1796	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe
1796	taskmgr.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1892	3144	WaveSourceInstaller.exe	81
PID 3144 wrote to memory of 1892	3144	WaveSourceInstaller.exe	81
PID 3144 wrote to memory of 1892	3144	WaveSourceInstaller.exe	81
PID 1892 wrote to memory of 3704	1892	WScript.exe	83
PID 1892 wrote to memory of 3704	1892	WScript.exe	83
PID 1892 wrote to memory of 3704	1892	WScript.exe	83
PID 3704 wrote to memory of 3520	3704	cmd.exe	85
PID 3704 wrote to memory of 3520	3704	cmd.exe	85
PID 3704 wrote to memory of 3520	3704	cmd.exe	85
PID 3520 wrote to memory of 3600	3520	remcos.exe	86
PID 3520 wrote to memory of 3600	3520	remcos.exe	86
PID 3520 wrote to memory of 3600	3520	remcos.exe	86
PID 3520 wrote to memory of 3600	3520	remcos.exe	86
PID 1348 wrote to memory of 3800	1348	remcos.exe	100
PID 1348 wrote to memory of 3800	1348	remcos.exe	100
PID 1348 wrote to memory of 3800	1348	remcos.exe	100
PID 1348 wrote to memory of 3800	1348	remcos.exe	100
PID 1716 wrote to memory of 2404	1716	remcos.exe	102
PID 1716 wrote to memory of 2404	1716	remcos.exe	102
PID 1716 wrote to memory of 2404	1716	remcos.exe	102
PID 1716 wrote to memory of 2404	1716	remcos.exe	102

C:\Users\Admin\AppData\Local\Temp\WaveSourceInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveSourceInstaller.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3520
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:3600

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2116

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1348
- \??\c:\program files (x86)\internet explorer\iexplore.exe
  "c:\program files (x86)\internet explorer\iexplore.exe"
  2⤵
  PID:3800

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1716
- \??\c:\program files (x86)\internet explorer\iexplore.exe
  "c:\program files (x86)\internet explorer\iexplore.exe"
  2⤵
  PID:2404

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

86.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.49.80.91.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

checkappexec.microsoft.com

Remote address:

8.8.8.8:53

Request

checkappexec.microsoft.com

IN A

Response

checkappexec.microsoft.com

IN CNAME

prod-atm-wds-apprep.trafficmanager.net

prod-atm-wds-apprep.trafficmanager.net

IN CNAME

prod-agic-us-2.uksouth.cloudapp.azure.com

prod-agic-us-2.uksouth.cloudapp.azure.com

IN A

172.165.69.228
POST

https://checkappexec.microsoft.com/windows/shell/actions

Remote address:

172.165.69.228:443

Request

POST /windows/shell/actions HTTP/2.0
host: checkappexec.microsoft.com
accept-encoding: gzip, deflate
user-agent: SmartScreen/2814751014982010
authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoibFRZdmZONEZnekE9Iiwia2V5IjoiTGRtR3orR2FqWWhBMnN6UnVJMzhTdz09In0=
content-length: 1162
content-type: application/json; charset=utf-8
cache-control: no-cache

Response

HTTP/2.0 200

date: Sat, 21 Dec 2024 17:17:09 GMT
content-type: application/json; charset=utf-8
content-length: 183
server: Kestrel
cache-control: max-age=0, private
request-context: appId=cid-v1:7f05e9f0-1fe6-401c-8ae7-2478e40e2f1e
DNS

fd.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

fd.api.iris.microsoft.com

IN A

Response

fd.api.iris.microsoft.com

IN CNAME

fd-api-iris.trafficmanager.net

fd-api-iris.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com

IN A

20.223.36.55
DNS

fd.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

fd.api.iris.microsoft.com

IN A
DNS

fd.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

fd.api.iris.microsoft.com

IN A
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR
DNS

175.194.10.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

175.194.10.204.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response

172.165.69.228:443

https://checkappexec.microsoft.com/windows/shell/actions

tls, http2

2.9kB
9.5kB
21
16

HTTP Request

POST https://checkappexec.microsoft.com/windows/shell/actions

HTTP Response

200
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

304 B
92 B
3
2
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

448 B
132 B
6
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

654 B
132 B
7
3
204.10.194.175:4444

tls

iexplore.exe

1.3kB
172 B
10
4
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

304 B
92 B
3
2
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

350 B
132 B
4
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

304 B
92 B
3
2
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

304 B
92 B
3
2
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

304 B
92 B
3
2
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

tls

iexplore.exe

396 B
132 B
5
3
204.10.194.175:4444

iexplore.exe

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

86.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

86.49.80.91.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

checkappexec.microsoft.com

dns

72 B
192 B
1
1

DNS Request

checkappexec.microsoft.com

DNS Response

172.165.69.228
8.8.8.8:53

fd.api.iris.microsoft.com

dns

213 B
199 B
3
1

DNS Request

fd.api.iris.microsoft.com

DNS Request

fd.api.iris.microsoft.com

DNS Request

fd.api.iris.microsoft.com

DNS Response

20.223.36.55
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

15.164.165.52.in-addr.arpa

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

175.194.10.204.in-addr.arpa

dns

73 B
154 B
1
1

DNS Request

175.194.10.204.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
memory/1796-21-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-18-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-19-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-20-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-14-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-13-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-12-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-24-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-23-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/1796-22-0x000001ACB0090000-0x000001ACB0091000-memory.dmp

Filesize
4KB

Download
memory/2404-59-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-50-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-77-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-76-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-75-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-74-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-29-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-30-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-31-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-32-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-33-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-34-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-35-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-36-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-37-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-38-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-39-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-40-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-41-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-42-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-43-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-44-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-45-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-46-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-47-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-48-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-49-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-73-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-51-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-52-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-53-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-54-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-55-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-56-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-57-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-58-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-72-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-60-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-61-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-62-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-63-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-64-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-65-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-66-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-67-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-68-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-69-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-70-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/2404-71-0x0000000000B50000-0x0000000000BCF000-memory.dmp

Filesize
508KB

Download
memory/3600-9-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/3600-10-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/3600-8-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/3600-11-0x0000000000510000-0x000000000058F000-memory.dmp

Filesize
508KB

Download
memory/3800-27-0x0000000000F90000-0x000000000100F000-memory.dmp

Filesize
508KB

Download
memory/3800-26-0x0000000000F90000-0x000000000100F000-memory.dmp

Filesize
508KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.