remcos | 871f18d099c9736f0115a57b020aba083f8af3c22dd5d990ce090c2899010129

Analysis

max time kernel
148s
max time network
133s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Phoenix Bios Editor/Phoenix Bios Editor.exe
Size

3.0MB
MD5

724e28bfe09dfaf69bd9df89bee3770d
SHA1

a2450d169a800d74199e42fac815ec0311d893c0
SHA256

fa882edca2a7f0e561e4b8ee3cd8260a39a09d598fe0f197ad59038df45adb9f
SHA512

33d7bcd590bcd66c6b56ce6963330f59adeba7f85d063388209ac3ae8e75f3285eaa20fa09221c630307d72ab0be40b93b629e88b78de557b38c4904f261c35b
SSDEEP

49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338w:t92bz2Eb6pd7B6bAGx7n333j

Score

10^/10

remcos 1anew discovery rat

Malware Config

Extracted

Family

remcos

Botnet

1aNEW

5.45.76.64:1463

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
dasdasdas0saVosR0s01-XF6C0E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 3 IoCs

pid	Process
2820	Phoenix Bios Editor.EXE
2948	ISDbg.exe
844	ISDbg.exe

Loads dropped DLL 19 IoCs

pid	Process
1736	Phoenix Bios Editor.exe
2820	Phoenix Bios Editor.EXE
2820	Phoenix Bios Editor.EXE
2820	Phoenix Bios Editor.EXE
1736	Phoenix Bios Editor.exe
2948	ISDbg.exe
2820	Phoenix Bios Editor.EXE
2948	ISDbg.exe
2820	Phoenix Bios Editor.EXE
2948	ISDbg.exe
2948	ISDbg.exe
2948	ISDbg.exe
2948	ISDbg.exe
844	ISDbg.exe
844	ISDbg.exe
844	ISDbg.exe
844	ISDbg.exe
844	ISDbg.exe
1888	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	Phoenix Bios Editor.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 1888	844	ISDbg.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phoenix Bios Editor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phoenix Bios Editor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phoenix Bios Editor.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISDbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISDbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1736	Phoenix Bios Editor.exe
1736	Phoenix Bios Editor.exe
2948	ISDbg.exe
844	ISDbg.exe
844	ISDbg.exe
1888	cmd.exe
1888	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
844	ISDbg.exe
1888	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1736	Phoenix Bios Editor.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1736	2592	Phoenix Bios Editor.exe	30
PID 2592 wrote to memory of 1736	2592	Phoenix Bios Editor.exe	30
PID 2592 wrote to memory of 1736	2592	Phoenix Bios Editor.exe	30
PID 2592 wrote to memory of 1736	2592	Phoenix Bios Editor.exe	30
PID 2592 wrote to memory of 1736	2592	Phoenix Bios Editor.exe	30
PID 2592 wrote to memory of 1736	2592	Phoenix Bios Editor.exe	30
PID 2592 wrote to memory of 1736	2592	Phoenix Bios Editor.exe	30
PID 1736 wrote to memory of 2820	1736	Phoenix Bios Editor.exe	31
PID 1736 wrote to memory of 2820	1736	Phoenix Bios Editor.exe	31
PID 1736 wrote to memory of 2820	1736	Phoenix Bios Editor.exe	31
PID 1736 wrote to memory of 2820	1736	Phoenix Bios Editor.exe	31
PID 1736 wrote to memory of 2820	1736	Phoenix Bios Editor.exe	31
PID 1736 wrote to memory of 2820	1736	Phoenix Bios Editor.exe	31
PID 1736 wrote to memory of 2820	1736	Phoenix Bios Editor.exe	31
PID 1736 wrote to memory of 2948	1736	Phoenix Bios Editor.exe	32
PID 1736 wrote to memory of 2948	1736	Phoenix Bios Editor.exe	32
PID 1736 wrote to memory of 2948	1736	Phoenix Bios Editor.exe	32
PID 1736 wrote to memory of 2948	1736	Phoenix Bios Editor.exe	32
PID 1736 wrote to memory of 2948	1736	Phoenix Bios Editor.exe	32
PID 1736 wrote to memory of 2948	1736	Phoenix Bios Editor.exe	32
PID 1736 wrote to memory of 2948	1736	Phoenix Bios Editor.exe	32
PID 2948 wrote to memory of 844	2948	ISDbg.exe	33
PID 2948 wrote to memory of 844	2948	ISDbg.exe	33
PID 2948 wrote to memory of 844	2948	ISDbg.exe	33
PID 2948 wrote to memory of 844	2948	ISDbg.exe	33
PID 2948 wrote to memory of 844	2948	ISDbg.exe	33
PID 2948 wrote to memory of 844	2948	ISDbg.exe	33
PID 2948 wrote to memory of 844	2948	ISDbg.exe	33
PID 844 wrote to memory of 1888	844	ISDbg.exe	34
PID 844 wrote to memory of 1888	844	ISDbg.exe	34
PID 844 wrote to memory of 1888	844	ISDbg.exe	34
PID 844 wrote to memory of 1888	844	ISDbg.exe	34
PID 844 wrote to memory of 1888	844	ISDbg.exe	34
PID 1888 wrote to memory of 2136	1888	cmd.exe	37
PID 1888 wrote to memory of 2136	1888	cmd.exe	37
PID 1888 wrote to memory of 2136	1888	cmd.exe	37
PID 1888 wrote to memory of 2136	1888	cmd.exe	37
PID 1888 wrote to memory of 2136	1888	cmd.exe	37
PID 1888 wrote to memory of 2136	1888	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\Phoenix Bios Editor\Phoenix Bios Editor.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix Bios Editor\Phoenix Bios Editor.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\Phoenix Bios Editor\Phoenix Bios Editor.exe
  "C:\Users\Admin\AppData\Local\Temp\Phoenix Bios Editor\Phoenix Bios Editor.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\Phoenix Bios Editor\Phoenix Bios Editor.EXE
    "C:\Users\Admin\AppData\Roaming\Phoenix Bios Editor\Phoenix Bios Editor.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Users\Admin\AppData\Roaming\ISDbg.exe
    "C:\Users\Admin\AppData\Roaming\ISDbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Roaming\abuSync_v1\ISDbg.exe
      C:\Users\Admin\AppData\Roaming\abuSync_v1\ISDbg.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97dc9bae

Filesize
1.2MB

MD5
0cd76d767d60b256f268f39d347a555b

SHA1
d1c37f0db9c257d500b31b76ee4bb9780498c7fd

SHA256
4a53beed8f4a0082ac9d8678a98989e063b9518f4e724ad1a4f7dd489b0f5cea

SHA512
440c20135469f6fc628ed406e813587d653cec91791fee664ec5d63b1787ceaf4a8c91e43007882f093d9505e7bc7315a684d9d7f91b038ee724f1acf91816f9

Download Submit
C:\Users\Admin\AppData\Roaming\FNP_Act_Installer.dll

Filesize
3.2MB

MD5
818abbbd3717505c01e4e8277406af8f

SHA1
4374b855c5a37e89daa37791d1a4f2c635bf66e7

SHA256
bc0acdfb672ad01ad3b658ee51e2ee6523d56ea4bc4c066b390cf9b494e2aa69

SHA512
7c73ec9b15e82964573db1b7d3996677b244b6efa64cab60cefff6d995d3ea3e6e89c1578c5b5a266b964a19336ce5b956a4a4f37be12b4907dbee827b6613b9

Download Submit
C:\Users\Admin\AppData\Roaming\ISDbg.exe

Filesize
3.6MB

MD5
7ca79f128adaf85ba662d15af223acac

SHA1
af6d8587efe0fa22b38e623b0358e4636ac7ea65

SHA256
af2f747f6daa4b949ee7e418e36aee0e40de8abd3cbd4dccc26105dbfa8211d6

SHA512
3ac8fd62d6f4143d0704233664d19271f00bc9322239975d3403272cb9f2b4836d8329431507543f973deb353ddb80ea26befe6217a400d3c6fb5e43bc7652fd

Download Submit
C:\Users\Admin\AppData\Roaming\ISUIServices.dll

Filesize
7.1MB

MD5
4d7f8a6ba8b44ec5289ad9f6ff918e3f

SHA1
ceeb965929b3048fd571cc3563e0ed9f7ca903bf

SHA256
83af5aec929741d6b307dc09a73a7ec0105e5214c76a9345250b9f61e546fc5f

SHA512
e25e3ed0f755dcf99d03f4a29b87f9539773cc0e344e63bd26f82dca22d5ebb18bb98ab7fde935354a5b9e7ba1a17ddaf112c2ec887e0f1aed6fb4245e26fbec

Download Submit
C:\Users\Admin\AppData\Roaming\MSIMG32.dll

Filesize
3KB

MD5
ae2fb3295fd4bee1e651b7b6639d7bfe

SHA1
4ac939d67002aabccf7a5878302a37b8079dda12

SHA256
c1f88d099af72cae6f6baaf7473da78279dc50b112f7fb68f93b5c3f29051c45

SHA512
90c2adc288547a2fec7bf6865b1341f2708ecf1e9ca78e0e440de008c5b032192998a42de0359f267e51d7ed8ee6a8e3ecc007d002d394cc5629cb81d94e9db9

Download Submit
C:\Users\Admin\AppData\Roaming\MSVCP140.dll

Filesize
437KB

MD5
dc739066c9d0ca961cba2f320cade28e

SHA1
81ed5f7861e748b90c7ae2d18da80d1409d1fa05

SHA256
74e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55

SHA512
4eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1

Download Submit
C:\Users\Admin\AppData\Roaming\divot.docx

Filesize
53KB

MD5
17fcdf24f7d570246c32c790d992a91c

SHA1
b8caba8fc1e475b51b5b48506b772a8a35139bac

SHA256
86cb0c334ea341bbcffc877d87e0fffce01f8f080bef8cf1d63c659414e8f961

SHA512
33a9b385c59381cc59a1104d2f48d9bcec606af5d752b6d94929c39b61a4679c8c5703ae0317b544a6ef94449b6a550585ff1597034fdaac10d773499542d510

Download Submit
C:\Users\Admin\AppData\Roaming\nomansland.tif

Filesize
947KB

MD5
01eb5e312e193602837d645d4ca53e75

SHA1
efe9810eb55216cdbb9257c648e648a826c3505e

SHA256
5e0117d5e3670262e002a837a84574914afcf66dcdd08f7cb4e5bad40543ed52

SHA512
5f2604aa9c756739b2e9abd7b5e654b94f3a71293d2a8ae8743fa94eee4080fa762da18fe76ba51dcb7eac20465e2cc8c521c160b2b54a966edfd2f519d10c4d

Download Submit
\Users\Admin\AppData\Local\Temp\GLCA959.tmp

Filesize
144KB

MD5
acfcab119456b15bb70baceb81bd7e5f

SHA1
5db05f57795d1718d78d168aa6de07e252b8706e

SHA256
76c0a0aa1a6a2e050a24795d772ba598cf074a1bb4c8c62658b9e55dbf3a89bd

SHA512
f3203f665177d340a5494f5e59206b8f3a37bdef5ac457b06a144b1db9d8671764ed3536a1093799a8e5a37f4c0b829f75b9d5301f2018b534f9d72be8db1782

Download Submit
\Users\Admin\AppData\Local\Temp\GLKAC58.tmp

Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit
\Users\Admin\AppData\Roaming\Phoenix Bios Editor\Phoenix Bios Editor.EXE

Filesize
6.1MB

MD5
fad962e8e1495a718fe992c62dc663d7

SHA1
4c960d75737e0956cbf3d09f3e61763492c34a90

SHA256
0b08210c54d38c23b9145ed6f22ca888b94a5fea966069e9e3789f379c5aa253

SHA512
8a93a1bc3b2359b14a32b7d8cdf2f32df9473a370d207f5034cc57483045271019b3606fec1ade5e3160e6ebaafaf4e6bde3c7c5dbb2f91fa222e3438de51eab

Download Submit
\Users\Admin\AppData\Roaming\vcruntime140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
memory/844-93-0x00000000771D0000-0x0000000077379000-memory.dmp

Filesize
1.7MB

Download
memory/844-82-0x00000000024C0000-0x0000000002BEA000-memory.dmp

Filesize
7.2MB

Download
memory/1736-39-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/1888-96-0x00000000771D0000-0x0000000077379000-memory.dmp

Filesize
1.7MB

Download
memory/1888-143-0x0000000073A90000-0x0000000073C04000-memory.dmp

Filesize
1.5MB

Download
memory/2136-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-158-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-145-0x00000000771D0000-0x0000000077379000-memory.dmp

Filesize
1.7MB

Download
memory/2136-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-152-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2136-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2592-3-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2948-64-0x00000000771D0000-0x0000000077379000-memory.dmp

Filesize
1.7MB

Download
memory/2948-46-0x0000000002190000-0x00000000028BA000-memory.dmp

Filesize
7.2MB

Download