remcos | 0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe
Size

939KB
MD5

b596edf7ebfb3a944a94685a207677bd
SHA1

e6776df73c784fec5de9c79bce860081d2915ed2
SHA256

0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879
SHA512

4518583947197b9a4afc0011d1ec2f1d051fbf02cbdde4ec9649b5f48da76b60697ad594da188fb6e364ea6eb2793a2e2fa6975164d693b4919b11322b9fedf5
SSDEEP

24576:kiUmSB/o5d1ubcvg4nZmSjtJLzxAeWtDMXuFc+d3oC8:k/mU/ohubcvNmSJJLzxrEDMXPmo

Score

10^/10

remcos remotehost collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.210.150.26:3678

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MKYDDH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 6 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/440-46-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/528-47-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2448-57-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/440-50-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/528-49-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/440-60-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/528-47-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/528-49-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/440-46-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/440-50-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/440-60-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs	Graff.exe

Executes dropped EXE 4 IoCs

pid	Process
4264	Graff.exe
440	Graff.exe
528	Graff.exe
2448	Graff.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Graff.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1020-14-0x0000000000460000-0x0000000000661000-memory.dmp	autoit_exe
behavioral2/memory/4264-22-0x0000000001250000-0x0000000001650000-memory.dmp	autoit_exe
behavioral2/memory/4264-48-0x0000000000AF0000-0x0000000000CF1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4264 set thread context of 440	4264	Graff.exe	93
PID 4264 set thread context of 528	4264	Graff.exe	94
PID 4264 set thread context of 2448	4264	Graff.exe	95

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1020-0-0x0000000000460000-0x0000000000661000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-10.dat	upx
behavioral2/memory/4264-11-0x0000000000AF0000-0x0000000000CF1000-memory.dmp	upx
behavioral2/memory/1020-14-0x0000000000460000-0x0000000000661000-memory.dmp	upx
behavioral2/memory/4264-48-0x0000000000AF0000-0x0000000000CF1000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Graff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Graff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Graff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Graff.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
440	Graff.exe
440	Graff.exe
2448	Graff.exe
2448	Graff.exe
440	Graff.exe
440	Graff.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4264	Graff.exe
4264	Graff.exe
4264	Graff.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	Graff.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 4264	1020	0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe	83
PID 1020 wrote to memory of 4264	1020	0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe	83
PID 1020 wrote to memory of 4264	1020	0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe	83
PID 4264 wrote to memory of 440	4264	Graff.exe	93
PID 4264 wrote to memory of 440	4264	Graff.exe	93
PID 4264 wrote to memory of 440	4264	Graff.exe	93
PID 4264 wrote to memory of 440	4264	Graff.exe	93
PID 4264 wrote to memory of 528	4264	Graff.exe	94
PID 4264 wrote to memory of 528	4264	Graff.exe	94
PID 4264 wrote to memory of 528	4264	Graff.exe	94
PID 4264 wrote to memory of 528	4264	Graff.exe	94
PID 4264 wrote to memory of 2448	4264	Graff.exe	95
PID 4264 wrote to memory of 2448	4264	Graff.exe	95
PID 4264 wrote to memory of 2448	4264	Graff.exe	95
PID 4264 wrote to memory of 2448	4264	Graff.exe	95

C:\Users\Admin\AppData\Local\Temp\0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe
"C:\Users\Admin\AppData\Local\Temp\0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\misruling\Graff.exe
  "C:\Users\Admin\AppData\Local\Temp\0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\misruling\Graff.exe
    C:\Users\Admin\AppData\Local\misruling\Graff.exe /stext "C:\Users\Admin\AppData\Local\Temp\pvtfem"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:440
- - C:\Users\Admin\AppData\Local\misruling\Graff.exe
    C:\Users\Admin\AppData\Local\misruling\Graff.exe /stext "C:\Users\Admin\AppData\Local\Temp\zpgxffmdq"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:528
- - C:\Users\Admin\AppData\Local\misruling\Graff.exe
    C:\Users\Admin\AppData\Local\misruling\Graff.exe /stext "C:\Users\Admin\AppData\Local\Temp\ksmigxxfmghk"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
45c5ccaa4b8e72dab10d42565fe9f4d7

SHA1
8d1a9dd1f8ab2769f825c2dfad7573dd87689170

SHA256
49c4aad8262b70807d6718bbbdc4e34959d82446c430e1d22558a963bf8ad602

SHA512
260028a3a1c933142d7e339e917206592f6df910a80c3919fb426d189c31260e62c58beaef9aeda830efa1f7f31e18a42cfe3c256cd33a11efe17ade97a7c0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvtfem

Filesize
4KB

MD5
c3c5f2de99b7486f697634681e21bab0

SHA1
00f90d495c0b2b63fde6532e033fdd2ade25633d

SHA256
76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

SHA512
7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

Download Submit
C:\Users\Admin\AppData\Local\misruling\Graff.exe

Filesize
939KB

MD5
b596edf7ebfb3a944a94685a207677bd

SHA1
e6776df73c784fec5de9c79bce860081d2915ed2

SHA256
0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879

SHA512
4518583947197b9a4afc0011d1ec2f1d051fbf02cbdde4ec9649b5f48da76b60697ad594da188fb6e364ea6eb2793a2e2fa6975164d693b4919b11322b9fedf5

Download Submit
memory/440-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/440-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/440-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/440-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/440-38-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/528-45-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/528-41-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/528-49-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/528-47-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1020-0-0x0000000000460000-0x0000000000661000-memory.dmp

Filesize
2.0MB

Download
memory/1020-14-0x0000000000460000-0x0000000000661000-memory.dmp

Filesize
2.0MB

Download
memory/1020-7-0x00000000013B0000-0x00000000017B0000-memory.dmp

Filesize
4.0MB

Download
memory/2448-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2448-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2448-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4264-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-22-0x0000000001250000-0x0000000001650000-memory.dmp

Filesize
4.0MB

Download
memory/4264-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-48-0x0000000000AF0000-0x0000000000CF1000-memory.dmp

Filesize
2.0MB

Download
memory/4264-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-58-0x0000000001250000-0x0000000001650000-memory.dmp

Filesize
4.0MB

Download
memory/4264-63-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4264-67-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4264-66-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4264-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-11-0x0000000000AF0000-0x0000000000CF1000-memory.dmp

Filesize
2.0MB

Download
memory/4264-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-99-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download