remcos | 8f03b29aa7892aeee0569b5b0104f290ecb33749bbf11eb406f8dbb069f21779

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2025 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL‮fdp.exe
Size

931KB
MD5

e0934033ebb050e467f7f7299e2d35f1
SHA1

fe51310df5ddb6552cfb6f100f2b34ab00d421ee
SHA256

8f03b29aa7892aeee0569b5b0104f290ecb33749bbf11eb406f8dbb069f21779
SHA512

6207b3e5be099bfe20b385d40a92e4da1beb0d505193ca2731a86c04699a916b50b8a8bcd7a7fdae7683683c2ae4b009c690ca339824e37d7a26ee8bb30646a7
SSDEEP

12288:AU+LeUFrzvvTrXM2Wh1GpE7OKlr+uPtiZoEPrltbMlUyv1dtK1rx0YfXc4d:ArFrnrXPWh1G6H+u1JmJ9CxNf6xW

Score

10^/10

remcos remotehost collection discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

172.245.123.12:8690

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WWFOQR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 5 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4288-55-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4744-54-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4288-53-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3360-50-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4288-60-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3360-50-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4288-55-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4288-53-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4288-60-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Downloads MZ/PE file 1 IoCs

flow	pid	Process
41	2160	Process not Found

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3280 set thread context of 3012	3280	DHL‮fdp.exe	94
PID 3012 set thread context of 4288	3012	AddInProcess32.exe	97
PID 3012 set thread context of 3360	3012	AddInProcess32.exe	99
PID 3012 set thread context of 4744	3012	AddInProcess32.exe	100

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHL‮fdp.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4940	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3280	DHL‮fdp.exe
3280	DHL‮fdp.exe
4288	AddInProcess32.exe
4288	AddInProcess32.exe
4744	AddInProcess32.exe
4744	AddInProcess32.exe
4288	AddInProcess32.exe
4288	AddInProcess32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3012	AddInProcess32.exe
3012	AddInProcess32.exe
3012	AddInProcess32.exe
3012	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	DHL‮fdp.exe
Token: SeDebugPrivilege	4744	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3012	AddInProcess32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3280 wrote to memory of 3012	3280	DHL‮fdp.exe	94
PID 3012 wrote to memory of 4288	3012	AddInProcess32.exe	97
PID 3012 wrote to memory of 4288	3012	AddInProcess32.exe	97
PID 3012 wrote to memory of 4288	3012	AddInProcess32.exe	97
PID 3012 wrote to memory of 4288	3012	AddInProcess32.exe	97
PID 3012 wrote to memory of 4940	3012	AddInProcess32.exe	98
PID 3012 wrote to memory of 4940	3012	AddInProcess32.exe	98
PID 3012 wrote to memory of 4940	3012	AddInProcess32.exe	98
PID 3012 wrote to memory of 3360	3012	AddInProcess32.exe	99
PID 3012 wrote to memory of 3360	3012	AddInProcess32.exe	99
PID 3012 wrote to memory of 3360	3012	AddInProcess32.exe	99
PID 3012 wrote to memory of 3360	3012	AddInProcess32.exe	99
PID 3012 wrote to memory of 4744	3012	AddInProcess32.exe	100
PID 3012 wrote to memory of 4744	3012	AddInProcess32.exe	100
PID 3012 wrote to memory of 4744	3012	AddInProcess32.exe	100
PID 3012 wrote to memory of 4744	3012	AddInProcess32.exe	100

C:\Users\Admin\AppData\Local\Temp\DHL‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\DHL‮fdp.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ugmgkviurezxdhcgvjzvrjnblu"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4288
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\faszlnsvfmrkfnqkfulxcwzktbhlc"
    3⤵
    PID:4940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\faszlnsvfmrkfnqkfulxcwzktbhlc"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:3360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\pcxkmydpbujppbmooegqfbubchrmdgvr"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Nzk3RTE1N0UtMzdGQy00MThCLUE3NzMtOTJERTA2NTNDOUFEfSIgdXNlcmlkPSJ7MjZDRTQ5RkEtRUMyNC00MjBCLTlCQkUtOTU0RDQ3QzBBQjA5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEQ0QkEzOEUtN0VFNS00OTZDLUFEQTItMEE0NEVBQkY3ODEyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODQ1OTY5NzQ4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
ce4b46bc1c03081663bcbeaa88b7526d

SHA1
5a1f1b24de656e9a98c882adb18049d5cccdbcb2

SHA256
e73b5648bbdbd80068013ba33ce8a7229b5542521cbc9c175c2030d32a6ee468

SHA512
cbbe92613ba549734df224db78762a1f981297430351b84d480b3f814dcda369198df9d5fa08b7704b67800cf58a11dc59d9cac917e35c171e80cd6c6cb41450

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugmgkviurezxdhcgvjzvrjnblu

Filesize
4KB

MD5
13eb38be9229e65eb080ec966bb8b3b0

SHA1
0d29e440d40e4b30ffe491ba14d017e8bef09cfd

SHA256
a32b229418a938705d58e12755aeb4705a737267b46d9cac93abf1a4bb4edbee

SHA512
f45201344058881197840e1faf84c8b4dd099922afea2a3a2ee04eadf4af1c6e2a8d0d135af9d30c90015ddb6d3bf4a06212f87ad85d4f4c3735b2e4c79c62fa

Download Submit
memory/3012-34-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-31-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-62-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3012-65-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3012-43-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-35-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-18-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-66-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3012-28-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-27-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-26-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-16-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-19-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-22-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-25-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3012-23-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3280-12-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/3280-10-0x0000000008770000-0x0000000008A32000-memory.dmp

Filesize
2.8MB

Download
memory/3280-15-0x0000000006B10000-0x0000000006B16000-memory.dmp

Filesize
24KB

Download
memory/3280-14-0x00000000031E0000-0x00000000031FA000-memory.dmp

Filesize
104KB

Download
memory/3280-13-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/3280-0-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/3280-11-0x0000000003220000-0x0000000003226000-memory.dmp

Filesize
24KB

Download
memory/3280-24-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/3280-8-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/3280-7-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/3280-6-0x0000000005870000-0x000000000587A000-memory.dmp

Filesize
40KB

Download
memory/3280-1-0x0000000000EE0000-0x0000000000FCE000-memory.dmp

Filesize
952KB

Download
memory/3280-2-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/3280-3-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/3280-4-0x0000000005960000-0x00000000059FC000-memory.dmp

Filesize
624KB

Download
memory/3280-5-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/3360-47-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3360-50-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3360-48-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4288-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4288-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4288-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4288-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4288-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4744-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4744-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4744-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download