remcos | d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe
Size

748KB
MD5

1a047b9b776d41ec61cc91286c27be07
SHA1

42f4eb3e00d258e61cf98a125d025692ac68c88a
SHA256

d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68
SHA512

58f8c02e634ca82fc95472d29e49931c15edaad03a0a81d672b72e817037a5b3419e25a0f97bef7c7f5c7d681a67e2416f3b7744656bc8ab62ce474d36d96b46
SSDEEP

12288:93VEnc1eUjaXZzl3azhfy4hamcUWQn3MN0KyBHyeFGjEvJ1EodxB4LP:93V3eUjaXZp3az1yUaZUXc6fBS2GjEvC

Score

10^/10

remcos thurssday execution rat

Malware Config

Extracted

Family

remcos

Botnet

thurssday

191.101.130.177:6903

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HCF7F5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1692 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Powershell.exewab.exe

pid process

280 Powershell.exe
1692 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Powershell.exe

description pid process target process

PID 280 set thread context of 1692 280 Powershell.exe wab.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
1692	wab.exe

pid	process
280	Powershell.exe
1692	wab.exe

description	pid	process	target process
PID 280 set thread context of 1692	280	Powershell.exe	wab.exe

Drops file in Program Files directory 2 IoCs

Processes:

d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\evighedsblomstens\ablations.kon	d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe
File opened for modification	C:\Program Files (x86)\Common Files\advisers\inkonvertibelt.beg	d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe

Drops file in Windows directory 1 IoCs

Processes:

d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe

description ioc process

File opened for modification C:\Windows\resources\0409\skimlernes\towy.Erh d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

Powershell.exe

pid process

280 Powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Powershell.exe

pid process

280 Powershell.exe
280 Powershell.exe
280 Powershell.exe
280 Powershell.exe
280 Powershell.exe
280 Powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Powershell.exe

pid process

280 Powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 280 Powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

1692 wab.exe

description	ioc	process
File opened for modification	C:\Windows\resources\0409\skimlernes\towy.Erh	d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe

pid	process
280	Powershell.exe

pid	process
280	Powershell.exe
280	Powershell.exe
280	Powershell.exe
280	Powershell.exe
280	Powershell.exe
280	Powershell.exe

pid	process
280	Powershell.exe

description	pid	process
Token: SeDebugPrivilege	280	Powershell.exe

pid	process
1692	wab.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exePowershell.exe

description	pid	process	target process
PID 1756 wrote to memory of 280	1756	d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe	Powershell.exe
PID 1756 wrote to memory of 280	1756	d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe	Powershell.exe
PID 1756 wrote to memory of 280	1756	d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe	Powershell.exe
PID 1756 wrote to memory of 280	1756	d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe	Powershell.exe
PID 280 wrote to memory of 1144	280	Powershell.exe	cmd.exe
PID 280 wrote to memory of 1144	280	Powershell.exe	cmd.exe
PID 280 wrote to memory of 1144	280	Powershell.exe	cmd.exe
PID 280 wrote to memory of 1144	280	Powershell.exe	cmd.exe
PID 280 wrote to memory of 1692	280	Powershell.exe	wab.exe
PID 280 wrote to memory of 1692	280	Powershell.exe	wab.exe
PID 280 wrote to memory of 1692	280	Powershell.exe	wab.exe
PID 280 wrote to memory of 1692	280	Powershell.exe	wab.exe
PID 280 wrote to memory of 1692	280	Powershell.exe	wab.exe
PID 280 wrote to memory of 1692	280	Powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe
"C:\Users\Admin\AppData\Local\Temp\d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -windowstyle minimized "$Pekingeseres = Get-Content 'C:\Users\Admin\AppData\Roaming\purists\Fdselshjlpere\counternecromancy\Drearisomely\Lyrerne.Kon' ; $Termitboernes=$Pekingeseres.SubString(33230,3);.$Termitboernes($Pekingeseres) "
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:1144

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
124B

MD5
97bd502922c9e889a745fbdcd22a598f

SHA1
b21e75e294090d0774bb72b5a9ee24cd287d055b

SHA256
2debdd0d3d927b9e0aa7712241d89bfdc738c903cb9281fcf3ee03d3e97eaa62

SHA512
053ee023662374c3a6bc11b85be9fee3cc5b092e9d2163c28de019bbdbe8907fd84cf9ff81b6dd4574379eb7fd67b2051b1417c49bfb00a577908b40e8c0c4ac

Download Submit
C:\Users\Admin\AppData\Roaming\purists\Fdselshjlpere\counternecromancy\Drearisomely\Lyrerne.Kon
Filesize
68KB

MD5
05605fca856618040d6e4dee40b204e1

SHA1
2d5850037b0866baa7bb00d2769ac6fe48810f49

SHA256
41347df2bd28b3131bf72efbf3756e4da12d0f45b4bee1b82f59c77e764e3197

SHA512
f3496876a0f2b6110dc900ff388456760281bf09d751b41c03c82915a489a541527f4ab1bafb6e509b0cf03cf7f53f51dec3e2229245934d35ec6ca91e4094ee

Download Submit
C:\Users\Admin\AppData\Roaming\purists\Fdselshjlpere\counternecromancy\Tilbagelagtes.Bon
Filesize
466KB

MD5
82bedb3c6b94b289be412ce6bc85a7ca

SHA1
c8fdac5f88ab0787abbef825e51861d4336aa695

SHA256
a536c0012e6d7386f2e303df21f131534636f8f67935296a72fb803634752db8

SHA512
96cde71dfcd7ed562ced7abd1eb7185c8c82fcf10c1e733b2a67bfb4159a69d68426077ea2c62591e387929af35c59e9cb551608d1154739c911e4f9a0ba18bb

Download Submit
C:\Users\Admin\Desktop\Bankfuldmgtigens.ini
Filesize
41B

MD5
7bb29932647c76ded34eca4b0c9ca1cc

SHA1
72501f63fb797f40d4dfced19a71a9e8fa07b1e9

SHA256
bec9b6e4f50edbff25fda72fb7c760c9f9bc8fee0076c7e7414b7942a84f6ca2

SHA512
46341f7c768f23a86932ec521425c7dd7d14f68c71eac02ba897263899568440057075e95779bf1ec681bbb2e58b7e6ef057e7239b794819373c71efb4236a3d

Download Submit
memory/280-240-0x00000000066C0000-0x000000000B0B1000-memory.dmp

Filesize
73.9MB

Download
memory/1692-247-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-283-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-271-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-263-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-274-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-277-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-280-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-268-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-286-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-289-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-292-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-295-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-298-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-301-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download