remcos | af31df0399c0a4656499be1101463a7c87761dd26dda053503feed9218e47e59

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
19-01-2021 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO - 2021-000511.exe
Size

330KB
MD5

1fe68462ce21c1dfa5bbc9501d636330
SHA1

800830eae62749ea1a30b70a94f51f644913212d
SHA256

af31df0399c0a4656499be1101463a7c87761dd26dda053503feed9218e47e59
SHA512

9dec8399b5d3dd4c39af35d54a71df27bf550e5ad05ff8c38adc2a0351c775cb376e84249d6cd84a7a648fbc10a7e7563551fef1e278bd97601585f948cea40d

Score

10^/10

remcos persistence rat spyware

Malware Config

Extracted

Family

remcos

nkosarevaocs.duckdns.org:7266

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/812-17-0x0000000000476274-mapping.dmp	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/812-17-0x0000000000476274-mapping.dmp	Nirsoft
behavioral2/memory/2440-20-0x0000000000422206-mapping.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

remcos.exeremcos.exeremcos.exeremcos.exeremcos.exe

pid process

2692 remcos.exe
3612 remcos.exe
812 remcos.exe
2440 remcos.exe
3108 remcos.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2692	remcos.exe
3612	remcos.exe
812	remcos.exe
2440	remcos.exe
3108	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO - 2021-000511.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PO - 2021-000511.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	PO - 2021-000511.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

PO - 2021-000511.exeremcos.exeremcos.exe

description	pid	process	target process
PID 496 set thread context of 3624	496	PO - 2021-000511.exe	PO - 2021-000511.exe
PID 2692 set thread context of 3612	2692	remcos.exe	remcos.exe
PID 3612 set thread context of 812	3612	remcos.exe	remcos.exe
PID 3612 set thread context of 2440	3612	remcos.exe	remcos.exe
PID 3612 set thread context of 3108	3612	remcos.exe	remcos.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2024 schtasks.exe
Modifies registry class 1 IoCs

Processes:

PO - 2021-000511.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings PO - 2021-000511.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

remcos.exeremcos.exe

pid process

812 remcos.exe
812 remcos.exe
2440 remcos.exe
2440 remcos.exe
812 remcos.exe
812 remcos.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

PO - 2021-000511.exeremcos.exe

pid process

496 PO - 2021-000511.exe
2692 remcos.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

remcos.exe

description pid process

Token: SeDebugPrivilege 2440 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

3612 remcos.exe

pid	process
2024	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	PO - 2021-000511.exe

pid	process
812	remcos.exe
812	remcos.exe
2440	remcos.exe
2440	remcos.exe
812	remcos.exe
812	remcos.exe

pid	process
496	PO - 2021-000511.exe
2692	remcos.exe

description	pid	process
Token: SeDebugPrivilege	2440	remcos.exe

pid	process
3612	remcos.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

PO - 2021-000511.execmd.exePO - 2021-000511.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 496 wrote to memory of 3176	496	PO - 2021-000511.exe	cmd.exe
PID 496 wrote to memory of 3176	496	PO - 2021-000511.exe	cmd.exe
PID 496 wrote to memory of 3176	496	PO - 2021-000511.exe	cmd.exe
PID 496 wrote to memory of 3624	496	PO - 2021-000511.exe	PO - 2021-000511.exe
PID 496 wrote to memory of 3624	496	PO - 2021-000511.exe	PO - 2021-000511.exe
PID 496 wrote to memory of 3624	496	PO - 2021-000511.exe	PO - 2021-000511.exe
PID 496 wrote to memory of 3624	496	PO - 2021-000511.exe	PO - 2021-000511.exe
PID 3176 wrote to memory of 2024	3176	cmd.exe	schtasks.exe
PID 3176 wrote to memory of 2024	3176	cmd.exe	schtasks.exe
PID 3176 wrote to memory of 2024	3176	cmd.exe	schtasks.exe
PID 3624 wrote to memory of 4040	3624	PO - 2021-000511.exe	WScript.exe
PID 3624 wrote to memory of 4040	3624	PO - 2021-000511.exe	WScript.exe
PID 3624 wrote to memory of 4040	3624	PO - 2021-000511.exe	WScript.exe
PID 4040 wrote to memory of 2176	4040	WScript.exe	cmd.exe
PID 4040 wrote to memory of 2176	4040	WScript.exe	cmd.exe
PID 4040 wrote to memory of 2176	4040	WScript.exe	cmd.exe
PID 2176 wrote to memory of 2692	2176	cmd.exe	remcos.exe
PID 2176 wrote to memory of 2692	2176	cmd.exe	remcos.exe
PID 2176 wrote to memory of 2692	2176	cmd.exe	remcos.exe
PID 2692 wrote to memory of 3612	2692	remcos.exe	remcos.exe
PID 2692 wrote to memory of 3612	2692	remcos.exe	remcos.exe
PID 2692 wrote to memory of 3612	2692	remcos.exe	remcos.exe
PID 2692 wrote to memory of 3612	2692	remcos.exe	remcos.exe
PID 3612 wrote to memory of 812	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 812	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 812	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 812	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 812	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 812	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 812	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 812	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 2440	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 2440	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 2440	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 2440	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 2440	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 2440	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 2440	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 2440	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 3108	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 3108	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 3108	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 3108	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 3108	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 3108	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 3108	3612	remcos.exe	remcos.exe
PID 3612 wrote to memory of 3108	3612	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\PO - 2021-000511.exe
"C:\Users\Admin\AppData\Local\Temp\PO - 2021-000511.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\46259bbd81d449c087c91b64fdbc15ad.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\46259bbd81d449c087c91b64fdbc15ad.xml"
3⤵
- Creates scheduled task(s)
PID:2024

C:\Users\Admin\AppData\Local\Temp\PO - 2021-000511.exe
"C:\Users\Admin\AppData\Local\Temp\PO - 2021-000511.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\upkoyhnuoftd"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:812

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\erphzsxncoliutcs"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\olurzkipywdnfirenta"
7⤵
- Executes dropped EXE
PID:3108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46259bbd81d449c087c91b64fdbc15ad.xml
MD5
a36564afc14b3eb0849c01a3afdb9944

SHA1
4dcee9fae3fde4e46b08529bc0ba067150686f07

SHA256
9d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996

SHA512
782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\upkoyhnuoftd
MD5
814b5ce4cad79d36055d2d4b5958cc31

SHA1
2a06a869615f0858479371b0415899681fb0c7d8

SHA256
6d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559

SHA512
a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1fe68462ce21c1dfa5bbc9501d636330

SHA1
800830eae62749ea1a30b70a94f51f644913212d

SHA256
af31df0399c0a4656499be1101463a7c87761dd26dda053503feed9218e47e59

SHA512
9dec8399b5d3dd4c39af35d54a71df27bf550e5ad05ff8c38adc2a0351c775cb376e84249d6cd84a7a648fbc10a7e7563551fef1e278bd97601585f948cea40d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1fe68462ce21c1dfa5bbc9501d636330

SHA1
800830eae62749ea1a30b70a94f51f644913212d

SHA256
af31df0399c0a4656499be1101463a7c87761dd26dda053503feed9218e47e59

SHA512
9dec8399b5d3dd4c39af35d54a71df27bf550e5ad05ff8c38adc2a0351c775cb376e84249d6cd84a7a648fbc10a7e7563551fef1e278bd97601585f948cea40d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1fe68462ce21c1dfa5bbc9501d636330

SHA1
800830eae62749ea1a30b70a94f51f644913212d

SHA256
af31df0399c0a4656499be1101463a7c87761dd26dda053503feed9218e47e59

SHA512
9dec8399b5d3dd4c39af35d54a71df27bf550e5ad05ff8c38adc2a0351c775cb376e84249d6cd84a7a648fbc10a7e7563551fef1e278bd97601585f948cea40d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1fe68462ce21c1dfa5bbc9501d636330

SHA1
800830eae62749ea1a30b70a94f51f644913212d

SHA256
af31df0399c0a4656499be1101463a7c87761dd26dda053503feed9218e47e59

SHA512
9dec8399b5d3dd4c39af35d54a71df27bf550e5ad05ff8c38adc2a0351c775cb376e84249d6cd84a7a648fbc10a7e7563551fef1e278bd97601585f948cea40d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1fe68462ce21c1dfa5bbc9501d636330

SHA1
800830eae62749ea1a30b70a94f51f644913212d

SHA256
af31df0399c0a4656499be1101463a7c87761dd26dda053503feed9218e47e59

SHA512
9dec8399b5d3dd4c39af35d54a71df27bf550e5ad05ff8c38adc2a0351c775cb376e84249d6cd84a7a648fbc10a7e7563551fef1e278bd97601585f948cea40d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1fe68462ce21c1dfa5bbc9501d636330

SHA1
800830eae62749ea1a30b70a94f51f644913212d

SHA256
af31df0399c0a4656499be1101463a7c87761dd26dda053503feed9218e47e59

SHA512
9dec8399b5d3dd4c39af35d54a71df27bf550e5ad05ff8c38adc2a0351c775cb376e84249d6cd84a7a648fbc10a7e7563551fef1e278bd97601585f948cea40d

Download Submit
memory/812-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/812-17-0x0000000000476274-mapping.dmp

Download
memory/812-16-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2024-4-0x0000000000000000-mapping.dmp

Download
memory/2176-9-0x0000000000000000-mapping.dmp

Download
memory/2440-20-0x0000000000422206-mapping.dmp

Download
memory/2440-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2440-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2692-10-0x0000000000000000-mapping.dmp

Download
memory/3108-22-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3108-23-0x0000000000455238-mapping.dmp

Download
memory/3108-27-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3176-2-0x0000000000000000-mapping.dmp

Download
memory/3612-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3612-13-0x0000000000413FA4-mapping.dmp

Download
memory/3624-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3624-3-0x0000000000413FA4-mapping.dmp

Download
memory/4040-6-0x0000000000000000-mapping.dmp

Download