remcos | dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
Size

1.6MB
MD5

25875e91131d7ed644c4b2587a78dd34
SHA1

672af46cf6363d259a2bb53efc127ad2e96bab5c
SHA256

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651
SHA512

24930e7137707821698095609ce5c8e74e8fe86af8d407a8f80233946065359deb407502ad3fbdf07f9382826da98356046440042d711b8f13aff0f1b67d9e70
SSDEEP

24576:eD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjYahP:ep7E+QrFUBgq2B

Score

10^/10

remcos host persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe

Executes dropped EXE 2 IoCs

Processes:

sbietrcl.exesbietrcl.exe

pid process

3760 sbietrcl.exe
2660 sbietrcl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3760	sbietrcl.exe
2660	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sbietrcl.exe

description pid process target process

PID 3760 set thread context of 2660 3760 sbietrcl.exe sbietrcl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3760 set thread context of 2660	3760	sbietrcl.exe	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exesbietrcl.exe

pid	process
2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
3760	sbietrcl.exe
3760	sbietrcl.exe
3760	sbietrcl.exe
3760	sbietrcl.exe
3760	sbietrcl.exe
3760	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exesbietrcl.exe

description pid process

Token: SeDebugPrivilege 2324 dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
Token: SeDebugPrivilege 3760 sbietrcl.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sbietrcl.exe

pid process

2660 sbietrcl.exe

description	pid	process
Token: SeDebugPrivilege	2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
Token: SeDebugPrivilege	3760	sbietrcl.exe

pid	process
2660	sbietrcl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exesbietrcl.exe

description	pid	process	target process
PID 2324 wrote to memory of 3760	2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe	sbietrcl.exe
PID 2324 wrote to memory of 3760	2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe	sbietrcl.exe
PID 2324 wrote to memory of 3760	2324	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe
PID 3760 wrote to memory of 2660	3760	sbietrcl.exe	sbietrcl.exe

C:\Users\Admin\AppData\Local\Temp\dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
"C:\Users\Admin\AppData\Local\Temp\dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
Filesize
1.7MB

MD5
425583c876ad85255f79f4d992dfcf91

SHA1
e5add17f44a00ffd2000f891db66b00ddcee4d71

SHA256
016b773cf207699be440381b7a3a3c3c241a73319d7cfa0eae765c3b6d86062d

SHA512
849cb971b2d61c71dea76a7397f6c8b750559b822b18be55914f8e9e967b7a201601d34af6652d7346c10426240b7cf88655f0dd9d86d37cd98da94d2969c6e5

Download Submit
memory/2324-31-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-16-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-4-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-3-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-17-0x0000000075022000-0x0000000075023000-memory.dmp

Filesize
4KB

Download
memory/2324-18-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-1-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-0-0x0000000075022000-0x0000000075023000-memory.dmp

Filesize
4KB

Download
memory/2660-34-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-37-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-38-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3760-29-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3760-32-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3760-33-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3760-30-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/3760-45-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download