remcos | 510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5.exe
Size

3.1MB
MD5

1a4b82ae2e587d81f93600c5b33844b0
SHA1

d550908811177477a0a718585a70225562047905
SHA256

510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5
SHA512

31ac9f8b4b4ebb31b10fb1b26111f1afaae99249152606d9d41d35dff256dcca26891aed177a32e9d997259b294b5fa8caf80414c00727863700257d51ea7b3e
SSDEEP

98304:+prFwhmHG7NltD7YUrUHmXSYd86nxWWWnmg8:+prPcTx7Y3miYW6nxW7nml

Score

10^/10

remcos crypt04 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

Crypt04

185.208.158.161:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
crashhandlerinfo
mouse_option
false
mutex
Rmc-F12W9O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5.exe

Executes dropped EXE 2 IoCs

pid	Process
4060	ImApp.exe
3924	ImApp.exe

Loads dropped DLL 33 IoCs

pid	Process
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
4060	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
4860	yq_Control_v5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3924 set thread context of 4464	3924	ImApp.exe	85

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\althttpSz_test_v5.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yq_Control_v5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4060	ImApp.exe
3924	ImApp.exe
3924	ImApp.exe
4464	cmd.exe
4464	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3924	ImApp.exe
4464	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4860	yq_Control_v5.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 4060	660	510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5.exe	83
PID 660 wrote to memory of 4060	660	510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5.exe	83
PID 660 wrote to memory of 4060	660	510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5.exe	83
PID 4060 wrote to memory of 3924	4060	ImApp.exe	84
PID 4060 wrote to memory of 3924	4060	ImApp.exe	84
PID 4060 wrote to memory of 3924	4060	ImApp.exe	84
PID 3924 wrote to memory of 4464	3924	ImApp.exe	85
PID 3924 wrote to memory of 4464	3924	ImApp.exe	85
PID 3924 wrote to memory of 4464	3924	ImApp.exe	85
PID 3924 wrote to memory of 4464	3924	ImApp.exe	85
PID 4464 wrote to memory of 4860	4464	cmd.exe	101
PID 4464 wrote to memory of 4860	4464	cmd.exe	101
PID 4464 wrote to memory of 4860	4464	cmd.exe	101
PID 4464 wrote to memory of 4860	4464	cmd.exe	101
PID 4464 wrote to memory of 4860	4464	cmd.exe	101
PID 4464 wrote to memory of 4860	4464	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5.exe
"C:\Users\Admin\AppData\Local\Temp\510e3978a0f5ad31b98ce85e604fa17397c0654d2c7e8ff35098b31483dd40f5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\ImApp.exe
  "C:\Users\Admin\AppData\Local\Temp\ImApp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Users\Admin\AppData\Roaming\localsync\ImApp.exe
    C:\Users\Admin\AppData\Roaming\localsync\ImApp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\yq_Control_v5.exe
        
        C:\Users\Admin\AppData\Local\Temp\yq_Control_v5.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\crashhandlerinfo\logs.dat

Filesize
144B

MD5
ea2745731b7019338b8556ae817a4a36

SHA1
6bd8c6cafa189dbf8886f3f469529e0af0b6f73c

SHA256
d56487ee5906d2c43d09d192aa54dd4631fbf7add49fee9f5b081856ad7b2015

SHA512
5e77bbef42144ad829776ce3b4d01a1edffe7aab9509f8f5f2bfc3c6e53ee869a55d0774a2b93eb037ea78c0acd22884c342dd59c720762446b9187061c0e863

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMHttpComm.dll

Filesize
32KB

MD5
a70d91a9fd7b65baa0355ee559098bd8

SHA1
546127579c06ae0ae4f63f216da422065a859e2f

SHA256
96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a

SHA512
f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImABU.dll

Filesize
310KB

MD5
2102382908725f195ce2c3703caa0c5f

SHA1
1b2817c66c9e98e3286498382a7136f1232fc67a

SHA256
c56d37f20069e48eade31236b4d3aa5afda2621bd77760e85964f1e6834be9a6

SHA512
80986592a58856b2e741c88f3d0d89512fa05fe77d2a2ddd2c411593875568e842eba2e8ae2ccf1de52bdf21b6a7227156bf69e40ae1fd20c5d592a8c814974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImApp.exe

Filesize
258KB

MD5
312707a513f86ed20642f43f8ef4dd14

SHA1
eab360e8a8e8e5b6bf139394ca1409888586d02f

SHA256
9b398917c796083a6005ab3f9d78243dbc0fad12be1e196be2b01041d4c951a7

SHA512
cd11b6cc2d058f5825bd90f342df22fc22fe19f5e3e1cbb197fbbe83a64367bbeaac748ce9d9685403f3c32a36b329e061fabbf54badc5486c442d5df7168f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImDbU.dll

Filesize
86KB

MD5
8ae8bb143301934a023bc5c9bb160b56

SHA1
228c965619b188cc3c68563bd33691158699416c

SHA256
db890bb2555e0bf3f82b38dc12ecd581348e40e53f9a51dd512149075c7df0a4

SHA512
827729a19f68c732f9ab9e4de90dd5c8cdce9993487c9016ac646c3c4ab966431c51b999e45571efc0ad0380e5d280aa32bcf8b07a73cc52e70a11935ae5356b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImLookExU.dll

Filesize
262KB

MD5
6527be4d6a3333dc5a49218c4f80530d

SHA1
97c8965b01d2644fb17a0f818af59bc0471e38a7

SHA256
908ab22cb8fa1b9125cf5746e5591fd84e4853326a812b9431ca1c0b9e997e1f

SHA512
69a57cc28583861b97a02968106f007d56c2b5826fc5aa843978f0bf3a3f155ad9f2b7dfbe8260e38c2a7b1ed759f6f6fadbeef32cec9d7c4ab8f541f645dc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImLookU.dll

Filesize
606KB

MD5
3ea6d805a18715f7368363dea3cd3f4c

SHA1
30ffafc1dd447172fa91404f07038d759c412464

SHA256
a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d

SHA512
a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImUtilsU.dll

Filesize
1.4MB

MD5
a7eaba8bc12b2b7ec2a41a4d9e45008a

SHA1
6a96a18bb4f1cd6196517713ed634f37f6b0362b

SHA256
914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a

SHA512
0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImWrappU.dll

Filesize
158KB

MD5
cbf4827a5920a5f02c50f78ed46d0319

SHA1
b035770e9d9283c61f8f8bbc041e3add0197de7b

SHA256
7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce

SHA512
d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.CRT.manifest

Filesize
1KB

MD5
541423a06efdcd4e4554c719061f82cf

SHA1
2e12c6df7352c3ed3c61a45baf68eace1cc9546e

SHA256
17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5

SHA512
11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.MFC.manifest

Filesize
2KB

MD5
97b859f11538bbe20f17dfb9c0979a1c

SHA1
2593ad721d7be3821fd0b40611a467db97be8547

SHA256
4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36

SHA512
905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

Download Submit
C:\Users\Admin\AppData\Local\Temp\SftTree_IX86_U_60.DLL

Filesize
564KB

MD5
15dea2a619d8cddefc323d95211356b8

SHA1
6ad3857bcef9cec11898fbb9539f1ba1069f4e18

SHA256
5713ae0dfa49270841503c1c21dbc741f5a8af4e0164678c9af502657962cc6d

SHA512
f34bf06be556cf958779c9e148e1e5d8af4a5d5a3a962d616ae0608f05d06d2274c0162f4ae4fae17cd87d62dbcba096e9d4c8379d8dfa2ddcb0b796612c11a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\circumferential.ogg

Filesize
1.1MB

MD5
8e659f89dafb44d5f405233a12a1a9c4

SHA1
ef9dc2732e567ded5383b7f41ceb31e73776a183

SHA256
c06e78e0579a5f2ad387073aa1daf459ac5fa777534a052317a09bafb1132dd2

SHA512
7d051809d61ae51d624bf766a2104ccf918597080638c62716104aec98853c66f311870c2abfd13abf2f2b80cf0bf41f1aa2b9fa0d32bdc0a75e0815d598de86

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfc80u.dll

Filesize
1.0MB

MD5
ccc2e312486ae6b80970211da472268b

SHA1
025b52ff11627760f7006510e9a521b554230fee

SHA256
18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a

SHA512
d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\necessary.mpeg

Filesize
28KB

MD5
30595ceadbd38b04ab1f3f8b70d3bb5b

SHA1
6c777dcea44fb9e44780b818ebf57ca286608122

SHA256
05e52dffccd38f4f8905bf9c34ef904ef708259e0ef39b2baa751d0aee1fa775

SHA512
b64578c8c4ba8c7b28cca6dea6abaf7bebf571d6b3b36247e398f020b04d83b44e5ff6fe0df3f7692226b0147da755be8ae0baa3b595498d7bd8bedc5ea5a525

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
465KB

MD5
b7fb7eb3cb04e0a086a8d945ff45615e

SHA1
cefaba225deae05b56451f18f11581631147a081

SHA256
8567b0e23fd4178270ca674810755c9dfdae1f4028e01c0c74a4eeb7774a1688

SHA512
54238bb4d3ffb3135703627e53f59bcec25f1d4f73412bb30283c65ba627c42e279be2c3299497b191fe4dec1d1b0d4e4998091a645337c75aa13f1d5f46eee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlessfp1.dll

Filesize
70KB

MD5
5120c44f241a12a3d5a3e87856477c13

SHA1
cd8a6ef728c48e17d570c8dc582ec49e17104f6d

SHA256
fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c

SHA512
67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1

Download Submit
C:\Users\Admin\AppData\Roaming\localsync\ImNtUtilU.dll

Filesize
94KB

MD5
bb326fe795e2c1c19cd79f320e169fd3

SHA1
1c1f2b8d98f01870455712e6eba26d77753adcac

SHA256
a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7

SHA512
a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1

Download Submit
memory/3924-146-0x0000000073790000-0x000000007390B000-memory.dmp

Filesize
1.5MB

Download
memory/3924-140-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/3924-136-0x00000000007B0000-0x000000000083E000-memory.dmp

Filesize
568KB

Download
memory/3924-133-0x00000000005F0000-0x000000000063D000-memory.dmp

Filesize
308KB

Download
memory/3924-144-0x0000000073790000-0x000000007390B000-memory.dmp

Filesize
1.5MB

Download
memory/3924-145-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

Filesize
2.0MB

Download
memory/4060-84-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

Filesize
2.0MB

Download
memory/4060-73-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/4060-69-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/4060-76-0x0000000002140000-0x00000000021CE000-memory.dmp

Filesize
568KB

Download
memory/4060-131-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download
memory/4464-149-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

Filesize
2.0MB

Download
memory/4464-150-0x0000000073790000-0x000000007390B000-memory.dmp

Filesize
1.5MB

Download
memory/4464-156-0x0000000073790000-0x000000007390B000-memory.dmp

Filesize
1.5MB

Download
memory/4860-170-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-179-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-167-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-163-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

Filesize
2.0MB

Download
memory/4860-161-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-173-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-176-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-164-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-182-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-185-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-188-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-191-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-194-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download
memory/4860-197-0x00000000006F0000-0x0000000000771000-memory.dmp

Filesize
516KB

Download