Analysis
-
max time kernel
19s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2025, 13:21
Static task
static1
Behavioral task
behavioral1
Sample
f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250313-en
General
-
Target
f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
-
Size
878KB
-
MD5
b88ac267dbfca8a81de4439036d12c24
-
SHA1
c48876d33ad00024eeabbfa39cdc681317e24e76
-
SHA256
f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8
-
SHA512
a727b4ff87d55bb8800e8a6566c6c6f9e9fb87eb97d447a484a6396a58ec8defa7d1a5cb1a25f8406f5dbecc44a38a47af13bc3562bf742ffd45b3cf21cfbf7e
-
SSDEEP
12288:JUjfmwszThqQM5rAUgsupiaz15kDdtZQFxj08SiXIql8Wm4y6JgN/i6x:JUjfmNzTMrIpjkDTZQX04F8bZN6A
Malware Config
Extracted
remcos
RemoteHost
196.251.69.85:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-K5GQZM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos family
-
Detected Nirsoft tools 4 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/5496-30857-0x0000000000400000-0x000000000047D000-memory.dmp Nirsoft behavioral1/memory/5632-31149-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/6528-30919-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/5496-30802-0x0000000000400000-0x000000000047D000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/6528-30919-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/5496-30857-0x0000000000400000-0x000000000047D000-memory.dmp WebBrowserPassView behavioral1/memory/5496-30802-0x0000000000400000-0x000000000047D000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe -
Executes dropped EXE 3 IoCs
pid Process 3112 remcos.exe 2652 remcos.exe 1408 remcos.exe -
Loads dropped DLL 4 IoCs
pid Process 4244 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 4244 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 3112 remcos.exe 3112 remcos.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-K5GQZM = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-K5GQZM = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 23 drive.google.com 24 drive.google.com 39 drive.google.com 62 drive.google.com -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\quadrigae.jpg remcos.exe File opened for modification C:\Windows\SysWOW64\Disarticulating.ini remcos.exe File opened for modification C:\Windows\SysWOW64\quadrigae.jpg remcos.exe File opened for modification C:\Windows\SysWOW64\quadrigae.jpg remcos.exe File opened for modification C:\Windows\SysWOW64\suppressionens.bin f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe File opened for modification C:\Windows\SysWOW64\quadrigae.jpg f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe File opened for modification C:\Windows\SysWOW64\Disarticulating.ini f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe File opened for modification C:\Windows\SysWOW64\suppressionens.bin remcos.exe File opened for modification C:\Windows\SysWOW64\suppressionens.bin remcos.exe File opened for modification C:\Windows\SysWOW64\suppressionens.bin remcos.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2632 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4244 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 2632 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dyppekogerens.ini f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe File opened for modification C:\Program Files (x86)\dyppekogerens.ini remcos.exe File opened for modification C:\Program Files (x86)\dyppekogerens.ini remcos.exe File opened for modification C:\Program Files (x86)\dyppekogerens.ini remcos.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\resources\mechanicochemical.jpg remcos.exe File opened for modification C:\Windows\resources\mechanicochemical.jpg f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4244 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4244 wrote to memory of 2632 4244 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 93 PID 4244 wrote to memory of 2632 4244 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 93 PID 4244 wrote to memory of 2632 4244 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 93 PID 4244 wrote to memory of 2632 4244 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 93 PID 2632 wrote to memory of 3112 2632 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 101 PID 2632 wrote to memory of 3112 2632 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 101 PID 2632 wrote to memory of 3112 2632 f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe 101 PID 2668 wrote to memory of 2652 2668 cmd.exe 102 PID 2668 wrote to memory of 2652 2668 cmd.exe 102 PID 2668 wrote to memory of 2652 2668 cmd.exe 102 PID 3596 wrote to memory of 1408 3596 cmd.exe 103 PID 3596 wrote to memory of 1408 3596 cmd.exe 103 PID 3596 wrote to memory of 1408 3596 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe"C:\Users\Admin\AppData\Local\Temp\f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe"C:\Users\Admin\AppData\Local\Temp\f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3112 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵PID:3324
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ujrawilrscqly"5⤵PID:5344
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ujrawilrscqly"5⤵PID:5200
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ujrawilrscqly"5⤵PID:5496
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\edwtptvlgkiqjhhc"5⤵PID:6528
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\hfbeqlgnusadlovgvhve"5⤵PID:6880
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\hfbeqlgnusadlovgvhve"5⤵PID:5632
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵PID:4736
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵PID:1664
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe3⤵PID:8596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵PID:3652
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵PID:7100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44B
MD56644a29c4fcb5c51650383ac2625163a
SHA175de5a6b73cd9bc47af952ad60679535cf768b27
SHA2560d9e8205fb30192bec64aa7c4d7a0c9d98e469f6739aa321d3b85da16caa8abc
SHA5122e6a476b3045a543a322332b2eb9d261002c3a278dc408b9eb5af3e4b136fe1b783c3091ce5edaaa7f3c8d2bffab714408bb23ae2e135cd034e1ff02ef36302a
-
Filesize
878KB
MD5b88ac267dbfca8a81de4439036d12c24
SHA1c48876d33ad00024eeabbfa39cdc681317e24e76
SHA256f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8
SHA512a727b4ff87d55bb8800e8a6566c6c6f9e9fb87eb97d447a484a6396a58ec8defa7d1a5cb1a25f8406f5dbecc44a38a47af13bc3562bf742ffd45b3cf21cfbf7e
-
Filesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
Filesize
3.2MB
MD524c453c82258126ae46700880f6cceef
SHA1562fc29d0cd6a4853a5cf692d9d83839576f5aeb
SHA2561874c5957744cf91e2cd38898b6eb27d89d4f20d2d9cb96c6bff31e9d2518d16
SHA512e160eaf58106979143ff96d61a1f74808ce3bd75de510b60299ed83e2cad473267c548e835700bff7f6a5f5bff53ae1fa570cdccf5b18883b71db7aa0db27c69
-
Filesize
92KB
MD5475f2fbd583ddb7c617e068f14d964d9
SHA1ce5eb262ebda515d09ad6c662eb9c98cd524f0b8
SHA2568a98c4c990992da6f37f8a2f06a1c210e285440bc1d2ed9c901dda51ce4f6ab3
SHA512a102ed454369a04f4a60073b5e378090bc36f7f83969fd768b11b2e223f0a35527fc2088911997f4be4ea8a2ceeeb666b0a552daf1dfbc499378e7ce9943e971
-
Filesize
384KB
MD5d667537e934dfc3eed0e69c453c7fffa
SHA1622243cba2808dbda969a9aca907d5bff45f17f7
SHA256e5afbbf693334a459581beb79e7b7d5b7d202626a4917fb6df45287f3162f623
SHA5128108c678c426d34584f5ab7e7f8f80a22f700e6521cd33954dad1d8fd8c78711c335c7f22a053b3cc078c920bd2a249e6ee805bc3c204152e71e72675d0b0dbc
-
Filesize
1.1MB
MD57d060d3ad332eff7eabf0915f50b3a8d
SHA19352a2b1e485ada11fc53c755549dc36f1ddf949
SHA256923908290b51a53a2be4ebd9935c675162bf60f82004a3a4eebd1da1652c998d
SHA5128dab095fec80d47c3e3f5b2b78dc5fc704c0993bd0da9a42b4b2a2c9dea36b72a93d1de67ad060a66b527d714fb4454b972ee95e7e623ef3cd9b006788c645b3
-
Filesize
2.0MB
MD51690c9a03bb7c977ac57b32b709bf714
SHA188ba17befa4004f4601fe627c4b48d3055e3c6ed
SHA256296a1556b6bf8d00f8d7f00741f9a510a5123b05d738379fddc26357e29a3244
SHA5121efa2243c9bf866aba6e1d12e0c6c620a478eb82ae8bb52b1f679d9cde154b5dc2c278aeb702b773f624cd132c91c557c71be8f384b8301fa03adbf417613ec0
-
Filesize
504B
MD587e7fee841319934f8854a753077879b
SHA10e5e732e212d54e71808e5c1c921c4459b597193
SHA25682b873d4137f2d2a4aceedcc5ad6c9fef39460308cbbce54f37529cdfcc1ba57
SHA51205c2aa2d6468306132c806e585eb9ba9f09554c53638e596b97b952fff6b0324c4012a063e513437e881656aaab1043c530976acd1eb79e00ac4d6dbf1b1cd16
-
Filesize
295B
MD509f74b91ee389deb1956fa911f819e9c
SHA1693f9f96af012962ff6d4645fe38e294c8c5316b
SHA25686e7165b8c377122d41f1833f6d2dd5c38031b2de6ff463d5b51969585f04998
SHA512c74cca6e1a151e4f73c998d13caa908d8e10ee8bcaaa68946f69cc7c156c5a92994e3b3d680f4c78ade9757e575c6e23af37a815dda7baac2be81bcf49af4c1f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Torenia\tralatitiously.ini
Filesize280B
MD568b713a216781101284300debf730cd6
SHA1b362ec481fe13a6054cd0cef698b4d316cfb7ebe
SHA25683a278a60e3aed10ddcff0ea52c7315df48ccd3119d39a0dd218ce1cde813691
SHA512ad24849ec1f621529f8e807de0610d03a23504f0d7eba759bc1a8cb473002c3016c8cfed7afcbdce3645c9a6f4e4fe2261f40fdbb35a44395404d74c03e8da0a
-
Filesize
638B
MD5a1aa57bb9f555c4a095d0c817435a82e
SHA1cd4933a29edf8f72af8f32586c2d1dfbc1ff575d
SHA2566219fb47744d71837d70c9bc31deb2ce8120c707a7888f50fcf558b0c6bc96e7
SHA512179122c07e04914b30e4da14dbc5182e2f7dfdaaa678645a2874ea8256f66aef30caaa199c65d4816b9e84f05279f37b7a8ce3cb99a82b3eaf59297039961885
-
Filesize
279B
MD55e6a6b65956a1f5e1f65b9419a4827d0
SHA153f85675dacfed6393c04438a533fccfdb105075
SHA256e86781a1f0b5d4ca96368bd63bc0807d942e1c41d8903d685659a56d2c7744aa
SHA512ba7a3dd0839177cb7723d61de8bd669d6126222e03475cefff4c4de3f3f24022c34bc1c470fe5983e5a3f07c920d6fe1010e2adecd658bd22105692528ea327d
-
Filesize
3.5MB
MD57a8f61bcccc6e42fac7f5e9b3810ba5c
SHA1927544bd328d3db39c96f7cca792758e446ac8ad
SHA256ba1b5576489f8324575def8bc86091ebdde33011b3bd4d09876393fdbcc9e30e
SHA512f0049f39044c21b863615252d0b70d17fb45483bc3a8eda0fb4ab353a6d416761a354705587aeee0dc66e802334babf1d364a1ac55e1f54486ae485f1ecd6622
-
Filesize
305B
MD5a4a2aa48417985844c196b3cd5e2b70d
SHA11dbddbd73130a1a5ea6f281c990bdc30801739d6
SHA25640fc272178b28026f17c2d506684a7c7c5ae3c3d35cc8aee1aaf0d3b8bdd8782
SHA512b26f890c7501a3f348a40c9365659cf57c10326d9a06d503468df5a5529237d06a2e314734e65238b318a7a74b85107fdd2aa339eb63f5368aed7b36208172cc
-
Filesize
320B
MD518f56af1efeb71430fbb3beef59cc50c
SHA10877c338f90045ca71257813b30a4e336d529f4b
SHA25666b83566825b4a557cc6b276321069c7bc9821963ec1c87d09b61a1c9357e1d0
SHA512e9f643d19a1ac2ecefb6c200c37794310e85647fc8382903000b367d1988f0a56800e2826488b723cba2c100be145cbddd20efd91bc8ef7e212e1b55cb701cdc
-
Filesize
555B
MD518a67a1fae480cd33bff380eac1b72a4
SHA18b84634c187fd6f31905c86cb7495d4d3f70e71e
SHA256370f70c21de89b48f34e89b71c96a0a32fab7b67437fa3918a4ce312ddd63a46
SHA51209588a194a267bc6a8246d1d836546e29de75083181803442fe29e1a18ca98be1439ea3a14e0ca745beb4798cf4670dca10905fe33aefb6a4ad7180e6bf154c8
-
Filesize
456B
MD5a2ff4b479c512364f2902c1849882995
SHA17337c45a5c9253682d5faa5a37bcbb5390f84774
SHA2562ed67e96c1cda469b2cf2c7b7ebecf35c21338c72208b6c28927216301d7449c
SHA5128eec2c09e0079dce130443c562c30e2eb2decd5e06ac9517414b1d256f8a8ee47572a73da32bff54c9d3114a171bb9a91fe3d8631171bc8d1ba35116ee7ea0be