remcos | 3ccef307ca32975ddbf1b50130830cf8d077a796c61af77e77855f2f4766cac4

Analysis

max time kernel
152s
max time network
161s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09/02/2025, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S3TurboTool_v1.53/S3TurboTool.exe
Size

3.0MB
MD5

722991dd18056a29c79c04868a03d81d
SHA1

320a236cca872b66bda713a1c6e8690f95bbb09b
SHA256

f57d195a651270f06b6ba5c21466401c0c3d035e21d7d217ab9268ea45d9f19b
SHA512

adcf0a8ec44e1558e3d6067126350c1efe947400f311405c84f37b6d7de83738a42ddf59c1f8178f68d9c45269bb2f95dd638037643a5521206b91e6fb2ec0eb
SSDEEP

49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338n:t92bz2Eb6pd7B6bAGx7n333k

Score

10^/10

remcos 1new discovery rat

Malware Config

Extracted

Family

remcos

Botnet

1NEW

5.45.67.76:1212

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
NoTuchengmYzfiFifFile-JPS74W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 3 IoCs

pid	Process
2936	S3TurboTool.exe
2828	vcpkgsrv.exe
2824	vcpkgsrv.exe

Loads dropped DLL 14 IoCs

pid	Process
2028	S3TurboTool.exe
2028	S3TurboTool.exe
2028	S3TurboTool.exe
2828	vcpkgsrv.exe
2828	vcpkgsrv.exe
2828	vcpkgsrv.exe
2828	vcpkgsrv.exe
2828	vcpkgsrv.exe
2828	vcpkgsrv.exe
2824	vcpkgsrv.exe
2824	vcpkgsrv.exe
2824	vcpkgsrv.exe
2824	vcpkgsrv.exe
1748	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 1748	2824	vcpkgsrv.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcpkgsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S3TurboTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S3TurboTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S3TurboTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcpkgsrv.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2028	S3TurboTool.exe
2028	S3TurboTool.exe
2828	vcpkgsrv.exe
2824	vcpkgsrv.exe
2824	vcpkgsrv.exe
1748	cmd.exe
1748	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2824	vcpkgsrv.exe
1748	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	S3TurboTool.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2028	2496	S3TurboTool.exe	30
PID 2496 wrote to memory of 2028	2496	S3TurboTool.exe	30
PID 2496 wrote to memory of 2028	2496	S3TurboTool.exe	30
PID 2496 wrote to memory of 2028	2496	S3TurboTool.exe	30
PID 2496 wrote to memory of 2028	2496	S3TurboTool.exe	30
PID 2496 wrote to memory of 2028	2496	S3TurboTool.exe	30
PID 2496 wrote to memory of 2028	2496	S3TurboTool.exe	30
PID 2028 wrote to memory of 2936	2028	S3TurboTool.exe	31
PID 2028 wrote to memory of 2936	2028	S3TurboTool.exe	31
PID 2028 wrote to memory of 2936	2028	S3TurboTool.exe	31
PID 2028 wrote to memory of 2936	2028	S3TurboTool.exe	31
PID 2028 wrote to memory of 2828	2028	S3TurboTool.exe	32
PID 2028 wrote to memory of 2828	2028	S3TurboTool.exe	32
PID 2028 wrote to memory of 2828	2028	S3TurboTool.exe	32
PID 2028 wrote to memory of 2828	2028	S3TurboTool.exe	32
PID 2828 wrote to memory of 2824	2828	vcpkgsrv.exe	33
PID 2828 wrote to memory of 2824	2828	vcpkgsrv.exe	33
PID 2828 wrote to memory of 2824	2828	vcpkgsrv.exe	33
PID 2828 wrote to memory of 2824	2828	vcpkgsrv.exe	33
PID 2824 wrote to memory of 1748	2824	vcpkgsrv.exe	34
PID 2824 wrote to memory of 1748	2824	vcpkgsrv.exe	34
PID 2824 wrote to memory of 1748	2824	vcpkgsrv.exe	34
PID 2824 wrote to memory of 1748	2824	vcpkgsrv.exe	34
PID 2824 wrote to memory of 1748	2824	vcpkgsrv.exe	34
PID 1748 wrote to memory of 1740	1748	cmd.exe	36
PID 1748 wrote to memory of 1740	1748	cmd.exe	36
PID 1748 wrote to memory of 1740	1748	cmd.exe	36
PID 1748 wrote to memory of 1740	1748	cmd.exe	36
PID 1748 wrote to memory of 1740	1748	cmd.exe	36
PID 1748 wrote to memory of 1740	1748	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\S3TurboTool_v1.53\S3TurboTool.exe
"C:\Users\Admin\AppData\Local\Temp\S3TurboTool_v1.53\S3TurboTool.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\S3TurboTool_v1.53\S3TurboTool.exe
  "C:\Users\Admin\AppData\Local\Temp\S3TurboTool_v1.53\S3TurboTool.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\S3TurboTool\S3TurboTool.exe
    "C:\Users\Admin\AppData\Roaming\S3TurboTool\S3TurboTool.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Users\Admin\AppData\Roaming\vcpkgsrv.exe
    "C:\Users\Admin\AppData\Roaming\vcpkgsrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Roaming\MVCheck\vcpkgsrv.exe
      C:\Users\Admin\AppData\Roaming\MVCheck\vcpkgsrv.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26a8109f

Filesize
1.2MB

MD5
f099d1bbe05fbb5c8fb58a79fdc40030

SHA1
2e099b7060342933bfef088ff8a21621e4c0dea8

SHA256
163679a570f9089cb6a2a66e6921b0ccde4c4c7fd8304fdb6151ac8ac9705a68

SHA512
0b824b4eb0e68cf3b26f55e7be6e7ed6cb01ce28413e38eaa536eb27fab46f77cadcc1e7e051d55b95369518264169dae8622646433c8e0df4a6d7b55cb28d17

Download Submit
C:\Users\Admin\AppData\Roaming\MSVCP140.dll

Filesize
438KB

MD5
cdae969102e88f6704d853f9521eedd2

SHA1
3d9a57652a3634cb9b5a83c973c1c77b30c60bf4

SHA256
4ad3de3443d7658f74c978e7eb04730e3d812bc592fee47be4e6348d1fb4814e

SHA512
6714f7886ed21a97a3d70e8a55637f0d0e6d2c43ffd433e7f9c38c100ada99c6aaf136135b5fa6b77483987e34f4c57086c574309b798512cd668c54f845ec49

Download Submit
C:\Users\Admin\AppData\Roaming\S3TurboTool\S3TurboTool.exe

Filesize
350KB

MD5
461dd72d19a3857f170abab8837d3021

SHA1
3a7ab3e60f7fbc70bb582aa0f740b364ba730928

SHA256
eaeacd165cf83cb0659bc711d2d6031ae5d2b56843bc721a263f8b0f91993363

SHA512
65dcd2b6ac7d3b5bbce7b69dd4a085da4a62ec6a68b8f17a67d1663b584964fe279194333a90e4c52dae0dabc6f8f83ecb337d2f6a559259b1c94f315673affe

Download Submit
C:\Users\Admin\AppData\Roaming\airstrip.eps

Filesize
947KB

MD5
82684045b798a2b946c54d0f07182760

SHA1
350bca14af88bdb6ac9fe2a2cb4798bc03d9fa78

SHA256
1daa6e80920b7f3d9eb5375b064467330b6427fb1dc5256282c43733bf96a601

SHA512
fb7687cff30f34d4f22eef91d5543519e92c8b42e5743ee71d6ab43fc383c144a6e4f45b0863e65b3602019ba322a5b2bcdfa9ce13240e7ca208ab1021bbca32

Download Submit
C:\Users\Admin\AppData\Roaming\cassoulet.pkg

Filesize
55KB

MD5
ac65af3eb9bada3d75d7f2c9f86d8273

SHA1
f4b75c457b32bba5352dca361ef3c477ff0b5c23

SHA256
e68bce3f61193576d743fcd7f4cf6ce98ca57b0e3db3ca2bc46d41ccf0d5b9a9

SHA512
1bbd5ac6fdad7a3305598a37235b32cb8c85282fe2a746b1dd5b4e63f06d1a10ed31972ee614d888e22b431dc37a2d2043ed98d879300bc90d60ea7e9feb1094

Download Submit
C:\Users\Admin\AppData\Roaming\cpfe.dll

Filesize
4.9MB

MD5
eac01f58e7f60c7d40db53b061bc1346

SHA1
a2c2c49171dd862e2d9ac3a8b845dfa89dcce91e

SHA256
c93eb39b1042b83c46816c9558e865f14af96f972730626e81d7eb53b8045eb0

SHA512
242e9829aa779bfbd9fa46f928fc1dbbac3b991a951bac12e809159f2eecba229a7e231c72e6fa95462b033505301d8906110fc003577f239e0d5bd4637ba1ba

Download Submit
\Users\Admin\AppData\Roaming\concrt140.dll

Filesize
254KB

MD5
f36dae6ea00f102b60a5011af0732123

SHA1
06fabdbf1fa14b5a637716f9f7a28c95ea4a8661

SHA256
0a3894dd420ed6b4c7ebbde463dbbde69cdb032e290b1c86c21ccdaa4da95526

SHA512
c585e25ac9d733ca82d36d4cee0fa5f7d34a0455c359e010c501d1474c612bc73429093ba302ae14222d7e3a89d5b11777529b3005c7c0966aff06c92c7cce12

Download Submit
\Users\Admin\AppData\Roaming\vcpkgsrv.exe

Filesize
1.4MB

MD5
38901633c833cba7f682472ced0dbe4b

SHA1
0c11a1ac834d2b270ba60f3605109933ca11a7f0

SHA256
a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089

SHA512
70d71197c68c9a92883c482aee76978e2a01e785be6fb3b6082369e25d991d3e03d8467e11d87493e54f5a3dc4bcd59fa588f0fabe5f6fdcf3361de95cb471c1

Download Submit
\Users\Admin\AppData\Roaming\vcruntime140.dll

Filesize
88KB

MD5
984c36e57e47581e267151aca04e9580

SHA1
aa54e9133ba3ed675f9b5255a515780438163ae1

SHA256
e0850ad7c2431f822359e129c85b708373759a1aaadb70b3740642ea44345a04

SHA512
9c8ce4e86173066ab8584a08aa1449f36808f0abd6de01a86f83914a44a8b07b31266c1f38ec0cd46faabf819ac6e1c74e29d5b8b2163ac5d9e1797df8282fdf

Download Submit
memory/1740-134-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-135-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-140-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-139-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-138-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-137-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-136-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-133-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-129-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-128-0x00000000775E0000-0x0000000077789000-memory.dmp

Filesize
1.7MB

Download
memory/1748-126-0x0000000070DB0000-0x0000000070F24000-memory.dmp

Filesize
1.5MB

Download
memory/1748-79-0x00000000775E0000-0x0000000077789000-memory.dmp

Filesize
1.7MB

Download
memory/2028-41-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2496-3-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2496-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2824-76-0x0000000070DB0000-0x0000000070F24000-memory.dmp

Filesize
1.5MB

Download
memory/2824-75-0x00000000775E0000-0x0000000077789000-memory.dmp

Filesize
1.7MB

Download
memory/2824-74-0x0000000070DB0000-0x0000000070F24000-memory.dmp

Filesize
1.5MB

Download
memory/2828-48-0x00000000775E0000-0x0000000077789000-memory.dmp

Filesize
1.7MB

Download
memory/2828-47-0x0000000074A00000-0x0000000074B74000-memory.dmp

Filesize
1.5MB

Download
memory/2936-46-0x0000000000D60000-0x0000000000DBC000-memory.dmp

Filesize
368KB

Download