remcos | c362c9041673c2475a3aecfa463941fde1935d452a5489a6f2a6a997053c92cf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JY-PCB-240109A-3.exe
Size

21KB
MD5

e05b80c579472d630f481820526c75f5
SHA1

7dca7c4bda5302e67ec87073b040ede2be781a6a
SHA256

2e410769ac9f0e71df08fda7115ccc473815a0f200a19059972d2c7b6190af4f
SHA512

c2b2e567713e3c712a6611a1255270e6695b26e136c80428860fe86a46e9eab5e589085c7bcc5213e0218a67e99949efaf5109fed2975668e8ecf87d11612feb
SSDEEP

384:ilFLVGZkhqIg8hR2GZsHEuymVr3JmJZzyF/O7v6qEfTivVqsSqncKxXFY:iTiYxBu93JmvyqEfuNqUcKxXFY

Score

10^/10

remcos remotehost agilenet collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.133.116.123:63650

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3BFGTU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView

resource	yara_rule
behavioral2/memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2844-40-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2844-35-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2844-45-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5728-39-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2844-40-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2844-35-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2844-45-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral2/memory/3104-7-0x00000000063C0000-0x0000000006442000-memory.dmp agile_net
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

JY-PCB-240109A-3.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts JY-PCB-240109A-3.exe

resource	yara_rule
behavioral2/memory/3104-7-0x00000000063C0000-0x0000000006442000-memory.dmp	agile_net

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	JY-PCB-240109A-3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JY-PCB-240109A-3 = "C:\\Users\\Admin\\Documents\\JY-PCB-240109A-3.pif"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

JY-PCB-240109A-3.exeJY-PCB-240109A-3.exe

description	pid	process	target process
PID 3104 set thread context of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 set thread context of 2844	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 set thread context of 2084	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 set thread context of 5728	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

JY-PCB-240109A-3.exeJY-PCB-240109A-3.exeJY-PCB-240109A-3.exe

pid	process
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
3104	JY-PCB-240109A-3.exe
2844	JY-PCB-240109A-3.exe
2844	JY-PCB-240109A-3.exe
5728	JY-PCB-240109A-3.exe
5728	JY-PCB-240109A-3.exe
2844	JY-PCB-240109A-3.exe
2844	JY-PCB-240109A-3.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

JY-PCB-240109A-3.exe

pid process

2772 JY-PCB-240109A-3.exe
2772 JY-PCB-240109A-3.exe
2772 JY-PCB-240109A-3.exe
2772 JY-PCB-240109A-3.exe
2772 JY-PCB-240109A-3.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

JY-PCB-240109A-3.exeJY-PCB-240109A-3.exe

description pid process

Token: SeDebugPrivilege 3104 JY-PCB-240109A-3.exe
Token: SeDebugPrivilege 5728 JY-PCB-240109A-3.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

JY-PCB-240109A-3.exe

pid process

2772 JY-PCB-240109A-3.exe

pid	process
2772	JY-PCB-240109A-3.exe
2772	JY-PCB-240109A-3.exe
2772	JY-PCB-240109A-3.exe
2772	JY-PCB-240109A-3.exe
2772	JY-PCB-240109A-3.exe

description	pid	process
Token: SeDebugPrivilege	3104	JY-PCB-240109A-3.exe
Token: SeDebugPrivilege	5728	JY-PCB-240109A-3.exe

pid	process
2772	JY-PCB-240109A-3.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

JY-PCB-240109A-3.execmd.exeJY-PCB-240109A-3.exe

description	pid	process	target process
PID 3104 wrote to memory of 4056	3104	JY-PCB-240109A-3.exe	cmd.exe
PID 3104 wrote to memory of 4056	3104	JY-PCB-240109A-3.exe	cmd.exe
PID 3104 wrote to memory of 4056	3104	JY-PCB-240109A-3.exe	cmd.exe
PID 4056 wrote to memory of 3100	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3100	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3100	4056	cmd.exe	reg.exe
PID 3104 wrote to memory of 1756	3104	JY-PCB-240109A-3.exe	cmd.exe
PID 3104 wrote to memory of 1756	3104	JY-PCB-240109A-3.exe	cmd.exe
PID 3104 wrote to memory of 1756	3104	JY-PCB-240109A-3.exe	cmd.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 3104 wrote to memory of 2772	3104	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5444	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5444	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5444	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 2844	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 2844	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 2844	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 2844	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5528	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5528	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5528	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 2084	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 2084	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 2084	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 2084	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5728	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5728	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5728	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe
PID 2772 wrote to memory of 5728	2772	JY-PCB-240109A-3.exe	JY-PCB-240109A-3.exe

C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
"C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JY-PCB-240109A-3" /t REG_SZ /F /D "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JY-PCB-240109A-3" /t REG_SZ /F /D "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"
3⤵
- Adds Run key to start application
PID:3100

C:\Windows\SysWOW64\cmd.exe
cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe" "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"
2⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
"C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\azpgmsqeedopdrbxxnpwsqgbmbsvbf"
3⤵
PID:5444

C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\azpgmsqeedopdrbxxnpwsqgbmbsvbf"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltuynkbfalgcgxybgyjydvssuqkdcqzvk"
3⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltuynkbfalgcgxybgyjydvssuqkdcqzvk"
3⤵
- Accesses Microsoft Outlook accounts
PID:2084

C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\vvajo"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5728

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
2cfb3fc4fa5e0bf23f8dec19d3a3fe38

SHA1
28dded559ed4955ba74d590eab14568df53c0a74

SHA256
6c67ca29421a82bd235ee9cbe7999a34f05e48181fa1a992f891773c6a5d5a9b

SHA512
3cb3d3e7ddb30f267628b44986c9b38ff63374c0ae20142fd1344c62bb99421dc68a8b7ddf1f080550549b825599afb4b15983d204329fbd295abdf981e64827

Download Submit
C:\Users\Admin\AppData\Local\Temp\azpgmsqeedopdrbxxnpwsqgbmbsvbf
Filesize
4KB

MD5
042bbbff30c31fcbdd7f9b0ed3935ca5

SHA1
c333db2dceaf9a524147155c79756bc32eda6b03

SHA256
626ae16f54b4ca656b0267dade381d30bf042a06ba69b8851e33ab14da2bd9fe

SHA512
7f3a8eee89225ced48f8bc69d168713377e0316df3e46b544d9f7bc2c84305020eca3094c8246c8c934e22bd7643ae11f4a1560c3fe7aa717604869bcffa48fe

Download Submit
memory/2084-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2084-32-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2772-51-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2772-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-50-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2772-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2772-47-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2844-40-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2844-30-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2844-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2844-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2844-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3104-2-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/3104-10-0x0000000006730000-0x0000000006796000-memory.dmp

Filesize
408KB

Download
memory/3104-4-0x0000000004FE0000-0x0000000005056000-memory.dmp

Filesize
472KB

Download
memory/3104-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/3104-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/3104-5-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/3104-1-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/3104-7-0x00000000063C0000-0x0000000006442000-memory.dmp

Filesize
520KB

Download
memory/3104-8-0x0000000005150000-0x000000000516E000-memory.dmp

Filesize
120KB

Download
memory/3104-22-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3104-6-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3104-9-0x0000000006620000-0x00000000066BC000-memory.dmp

Filesize
624KB

Download
memory/5728-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5728-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5728-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download