remcos | 8951d42cd54ee24819e35270f5106ce547cbd23ac8a97e43135be5c6f4da79e9

Analysis

max time kernel
300s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

completed payment Swift.exe
Size

618KB
MD5

9f596e0ef377a10ac315ea255dddd93a
SHA1

c01d886bf3ba5ada0b5685ce524061401e9c4bfe
SHA256

7ccf91b8dba6200f57181d52809c2edd10fe69a5334dfef8ee5426f882adfbe2
SHA512

1324ccbe878072d811e0ce7d344e4e8d0e5ffa27395ea2afb51e5eac99b45b723bd744a5217611da524e33281f0915ae468605db05040947e040708c81d117bb
SSDEEP

12288:h1zTwu+3/aEu57XO1KU7ZMveuWSA1YBcOxuuUHFFnsdFvMAqJ:0n3/aECOwKmvekyYBcOuPFFUFvMZJ

Score

10^/10

remcos googlegroupaccount collection discovery persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

googlegroupaccount

213.152.187.241:12776

10.14.10.19:12776

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
googlegroupaccount.exe
copy_folder
googlegroupaccount
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6741XM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/748-50-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1804-52-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1208-56-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/748-50-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1804-52-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	completed payment Swift.exe

Executes dropped EXE 6 IoCs

pid	Process
4088	googlegroupaccount.exe
2516	googlegroupaccount.exe
1804	googlegroupaccount.exe
748	googlegroupaccount.exe
4604	googlegroupaccount.exe
1208	googlegroupaccount.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	googlegroupaccount.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-6741XM = "\"C:\\Users\\Admin\\AppData\\Roaming\\googlegroupaccount\\googlegroupaccount.exe\""	completed payment Swift.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-6741XM = "\"C:\\Users\\Admin\\AppData\\Roaming\\googlegroupaccount\\googlegroupaccount.exe\""	googlegroupaccount.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-6741XM = "\"C:\\Users\\Admin\\AppData\\Roaming\\googlegroupaccount\\googlegroupaccount.exe\""	googlegroupaccount.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-6741XM = "\"C:\\Users\\Admin\\AppData\\Roaming\\googlegroupaccount\\googlegroupaccount.exe\""	completed payment Swift.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 2448	2520	completed payment Swift.exe	82
PID 4088 set thread context of 2516	4088	googlegroupaccount.exe	84
PID 2516 set thread context of 1804	2516	googlegroupaccount.exe	85
PID 2516 set thread context of 748	2516	googlegroupaccount.exe	86
PID 2516 set thread context of 1208	2516	googlegroupaccount.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googlegroupaccount.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googlegroupaccount.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	completed payment Swift.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	completed payment Swift.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googlegroupaccount.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googlegroupaccount.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googlegroupaccount.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1804	googlegroupaccount.exe
1804	googlegroupaccount.exe
1208	googlegroupaccount.exe
1208	googlegroupaccount.exe
1804	googlegroupaccount.exe
1804	googlegroupaccount.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2516	googlegroupaccount.exe
2516	googlegroupaccount.exe
2516	googlegroupaccount.exe
2516	googlegroupaccount.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	googlegroupaccount.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2516	googlegroupaccount.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2520 wrote to memory of 2448	2520	completed payment Swift.exe	82
PID 2448 wrote to memory of 4088	2448	completed payment Swift.exe	83
PID 2448 wrote to memory of 4088	2448	completed payment Swift.exe	83
PID 2448 wrote to memory of 4088	2448	completed payment Swift.exe	83
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 4088 wrote to memory of 2516	4088	googlegroupaccount.exe	84
PID 2516 wrote to memory of 1804	2516	googlegroupaccount.exe	85
PID 2516 wrote to memory of 1804	2516	googlegroupaccount.exe	85
PID 2516 wrote to memory of 1804	2516	googlegroupaccount.exe	85
PID 2516 wrote to memory of 1804	2516	googlegroupaccount.exe	85
PID 2516 wrote to memory of 748	2516	googlegroupaccount.exe	86
PID 2516 wrote to memory of 748	2516	googlegroupaccount.exe	86
PID 2516 wrote to memory of 748	2516	googlegroupaccount.exe	86
PID 2516 wrote to memory of 748	2516	googlegroupaccount.exe	86
PID 2516 wrote to memory of 4604	2516	googlegroupaccount.exe	87
PID 2516 wrote to memory of 4604	2516	googlegroupaccount.exe	87
PID 2516 wrote to memory of 4604	2516	googlegroupaccount.exe	87
PID 2516 wrote to memory of 1208	2516	googlegroupaccount.exe	88
PID 2516 wrote to memory of 1208	2516	googlegroupaccount.exe	88
PID 2516 wrote to memory of 1208	2516	googlegroupaccount.exe	88
PID 2516 wrote to memory of 1208	2516	googlegroupaccount.exe	88

C:\Users\Admin\AppData\Local\Temp\completed payment Swift.exe
"C:\Users\Admin\AppData\Local\Temp\completed payment Swift.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\completed payment Swift.exe
  "C:\Users\Admin\AppData\Local\Temp\completed payment Swift.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe
    "C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe
      "C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe
        
        C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe /stext "C:\Users\Admin\AppData\Local\Temp\xuirmblewr"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
    - - C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe
        
        C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe /stext "C:\Users\Admin\AppData\Local\Temp\ioocmlwykzaxn"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:748
    - - C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe
        
        C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe /stext "C:\Users\Admin\AppData\Local\Temp\kitunegryiscxjbo"
        5⤵
        Executes dropped EXE
        
        PID:4604
    - - C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe
        
        C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe /stext "C:\Users\Admin\AppData\Local\Temp\kitunegryiscxjbo"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0d95063634478483ad3d683ebc8df400

SHA1
7ddc13f946b6fae55ec73192c70b9237a5e8054c

SHA256
e862a2ab1aabb2efc19fc4c0699617803781b094b6a8f7b5e5b61861096809ae

SHA512
aa13c63598a4dd7de49d817cb94ac74ab77a9f3bee53433a96fff7832f938f12539d8dd25658fbf50e0e841ff690595f77b6d6672b0feb2244af2f0deea503ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuirmblewr

Filesize
4KB

MD5
7aca43b2800ceb18b3ed2326532545de

SHA1
d4cf207ef85bd749d59c1cb27a09c167ee21523a

SHA256
3d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480

SHA512
0e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f

Download Submit
C:\Users\Admin\AppData\Roaming\googlegroupaccount\googlegroupaccount.exe

Filesize
618KB

MD5
9f596e0ef377a10ac315ea255dddd93a

SHA1
c01d886bf3ba5ada0b5685ce524061401e9c4bfe

SHA256
7ccf91b8dba6200f57181d52809c2edd10fe69a5334dfef8ee5426f882adfbe2

SHA512
1324ccbe878072d811e0ce7d344e4e8d0e5ffa27395ea2afb51e5eac99b45b723bd744a5217611da524e33281f0915ae468605db05040947e040708c81d117bb

Download Submit
memory/748-46-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/748-50-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/748-49-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1208-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1208-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1804-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1804-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1804-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2448-9-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2448-21-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2448-7-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2448-6-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2448-4-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-33-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-25-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-37-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-38-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-39-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-40-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-43-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-29-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-34-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-32-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-62-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2516-66-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2516-65-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2516-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-27-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-102-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-110-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2516-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2520-1-0x0000000000F60000-0x0000000001000000-memory.dmp

Filesize
640KB

Download
memory/2520-2-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/2520-3-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/2520-10-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/2520-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/4088-22-0x000000007409E000-0x000000007409F000-memory.dmp

Filesize
4KB

Download
memory/4088-28-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/4088-35-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download