Overview

overview

10

Static

static

10

bca3772529...45.exe

windows7-x64

10

bca3772529...45.exe

windows10-2004-x64

10

bccb34575f...72.exe

windows7-x64

10

bccb34575f...72.exe

windows10-2004-x64

10

bcf1af9a5a...be.exe

windows7-x64

10

bcf1af9a5a...be.exe

windows10-2004-x64

8

bcf783e363...97.exe

windows7-x64

3

bcf783e363...97.exe

windows10-2004-x64

3

bd515574dc...8c.exe

windows7-x64

1

bd515574dc...8c.exe

windows10-2004-x64

1

bd68ca7605...39.exe

windows7-x64

10

bd68ca7605...39.exe

windows10-2004-x64

10

bd707a0357...e3.exe

windows7-x64

9

bd707a0357...e3.exe

windows10-2004-x64

9

bd7edfedeb...0b.exe

windows7-x64

10

bd7edfedeb...0b.exe

windows10-2004-x64

10

bdad1ff46d...f2.exe

windows7-x64

10

bdad1ff46d...f2.exe

windows10-2004-x64

10

bdae9ff159...df.exe

windows7-x64

10

bdae9ff159...df.exe

windows10-2004-x64

10

be01d2552c...1c.exe

windows7-x64

10

be01d2552c...1c.exe

windows10-2004-x64

10

be077774c9...87.exe

windows7-x64

10

be077774c9...87.exe

windows10-2004-x64

10

be0a8aeb7e...56.exe

windows7-x64

3

be0a8aeb7e...56.exe

windows10-2004-x64

3

be1643898c...f5.exe

windows7-x64

7

be1643898c...f5.exe

windows10-2004-x64

10

be183db6d4...94.exe

windows7-x64

10

be183db6d4...94.exe

windows10-2004-x64

10

be2375e810...94.exe

windows7-x64

10

be2375e810...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139.exe

  • Size

    1.7MB

  • MD5

    dffcd11d476c58ec3faa380cc679d6cd

  • SHA1

    809b2bdeb0485b409f0fef3cab124eec8331cc95

  • SHA256

    bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139

  • SHA512

    cf9219060cc1df30f0945fe77964855996d15a93efea373cbee03506335bad7bc02a0f12d82c630d0ec701089a6883bc0f63f9e396c7f53a27cfb5356a050bfd

  • SSDEEP

    24576:0D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoIK:0p7E+QrFUBgq2dK

Score
10/10
remcoshostdiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139.exe
    "C:\Users\Admin\AppData\Local\Temp\bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1494cbd7fb63b13be8187768a896a64c

    SHA1

    5d7996678cfbaae573a60b98e7acf44eb1149e4c

    SHA256

    820d984578f4ff37aad29e9f1ddcb71e657333cc129e2ba21c586ba7ce5b0c87

    SHA512

    d69b7b668e049d0384188e8a8c5ba115255af40ee5ccdddb3ede3c32b4ed16e7a3b0c4b0692ff9ef12632f2da3da9c8cfadd983ce7da2d088524c2f97f0a0826

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab2E60.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
    Filesize

    1.7MB

    MD5

    3a62314d191188f661faba8a5c13054c

    SHA1

    512969817686043ae7a7027ac06df6bf3a5e83fc

    SHA256

    38308b1cd8813d353d06ed631fa585c8a88d33cafbf63523ad522fce1be5bae5

    SHA512

    f5bd2c133f367145084ba75387804c3f18f4c5b488e88112d4eebb3ab8dbf7ff2c8b9cac6cc15eee15459aa0c615c98a129db6086c6e361fb8b41f314a4b4bea

    Download Submit

  • memory/2268-11-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2268-13-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2268-12-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2268-0-0x0000000074201000-0x0000000074202000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-8-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2268-31-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2664-46-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-69-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-50-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-44-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-56-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-52-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-65-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-48-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-64-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-61-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-60-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2664-59-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2976-32-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2976-66-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2976-43-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2976-42-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2976-33-0x0000000074200000-0x00000000747AB000-memory.dmp

    Filesize

    5.7MB

    Download