remcos | 12e45d9842e64a393cd24914d38dbcaa2f5aad6ddcd8b7e3215ec29af274a88f

Analysis

max time kernel
135s
max time network
22s
platform
windows7_x64
resource
win7v20210408
submitted
21-07-2021 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment_Advice.exe
Size

1.4MB
MD5

90d299316fdd9e9131b1316f8c05a7c2
SHA1

d7728c0d419b36b00f02bd470034d00bcb9f3564
SHA256

5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee
SHA512

ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Score

10^/10

remcos sa persistence rat

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

ego.ddns.net:2404

chasesure.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
rem.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-6KPFIK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 6 IoCs

Processes:

rem.exerem.exerem.exerem.exerem.exerem.exe

pid process

880 rem.exe
1392 rem.exe
1356 rem.exe
1696 rem.exe
968 rem.exe
1764 rem.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

984 cmd.exe

pid	process
880	rem.exe
1392	rem.exe
1356	rem.exe
1696	rem.exe
968	rem.exe
1764	rem.exe

pid	process
984	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payment_Advice.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Payment_Advice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\rem.exe\""	Payment_Advice.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment_Advice.exe

description pid process target process

PID 1652 set thread context of 544 1652 Payment_Advice.exe Payment_Advice.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

876 schtasks.exe
764 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

rem.exe

pid process

880 rem.exe
880 rem.exe
880 rem.exe
880 rem.exe
880 rem.exe
880 rem.exe
880 rem.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rem.exe

description pid process

Token: SeDebugPrivilege 880 rem.exe

description	pid	process	target process
PID 1652 set thread context of 544	1652	Payment_Advice.exe	Payment_Advice.exe

pid	process
876	schtasks.exe
764	schtasks.exe

pid	process
880	rem.exe
880	rem.exe
880	rem.exe
880	rem.exe
880	rem.exe
880	rem.exe
880	rem.exe

description	pid	process
Token: SeDebugPrivilege	880	rem.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

Payment_Advice.exePayment_Advice.exeWScript.execmd.exerem.exe

description	pid	process	target process
PID 1652 wrote to memory of 876	1652	Payment_Advice.exe	schtasks.exe
PID 1652 wrote to memory of 876	1652	Payment_Advice.exe	schtasks.exe
PID 1652 wrote to memory of 876	1652	Payment_Advice.exe	schtasks.exe
PID 1652 wrote to memory of 876	1652	Payment_Advice.exe	schtasks.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 1652 wrote to memory of 544	1652	Payment_Advice.exe	Payment_Advice.exe
PID 544 wrote to memory of 1644	544	Payment_Advice.exe	WScript.exe
PID 544 wrote to memory of 1644	544	Payment_Advice.exe	WScript.exe
PID 544 wrote to memory of 1644	544	Payment_Advice.exe	WScript.exe
PID 544 wrote to memory of 1644	544	Payment_Advice.exe	WScript.exe
PID 1644 wrote to memory of 984	1644	WScript.exe	cmd.exe
PID 1644 wrote to memory of 984	1644	WScript.exe	cmd.exe
PID 1644 wrote to memory of 984	1644	WScript.exe	cmd.exe
PID 1644 wrote to memory of 984	1644	WScript.exe	cmd.exe
PID 984 wrote to memory of 880	984	cmd.exe	rem.exe
PID 984 wrote to memory of 880	984	cmd.exe	rem.exe
PID 984 wrote to memory of 880	984	cmd.exe	rem.exe
PID 984 wrote to memory of 880	984	cmd.exe	rem.exe
PID 880 wrote to memory of 764	880	rem.exe	schtasks.exe
PID 880 wrote to memory of 764	880	rem.exe	schtasks.exe
PID 880 wrote to memory of 764	880	rem.exe	schtasks.exe
PID 880 wrote to memory of 764	880	rem.exe	schtasks.exe
PID 880 wrote to memory of 1392	880	rem.exe	rem.exe
PID 880 wrote to memory of 1392	880	rem.exe	rem.exe
PID 880 wrote to memory of 1392	880	rem.exe	rem.exe
PID 880 wrote to memory of 1392	880	rem.exe	rem.exe
PID 880 wrote to memory of 1356	880	rem.exe	rem.exe
PID 880 wrote to memory of 1356	880	rem.exe	rem.exe
PID 880 wrote to memory of 1356	880	rem.exe	rem.exe
PID 880 wrote to memory of 1356	880	rem.exe	rem.exe
PID 880 wrote to memory of 1696	880	rem.exe	rem.exe
PID 880 wrote to memory of 1696	880	rem.exe	rem.exe
PID 880 wrote to memory of 1696	880	rem.exe	rem.exe
PID 880 wrote to memory of 1696	880	rem.exe	rem.exe
PID 880 wrote to memory of 968	880	rem.exe	rem.exe
PID 880 wrote to memory of 968	880	rem.exe	rem.exe
PID 880 wrote to memory of 968	880	rem.exe	rem.exe
PID 880 wrote to memory of 968	880	rem.exe	rem.exe
PID 880 wrote to memory of 1764	880	rem.exe	rem.exe
PID 880 wrote to memory of 1764	880	rem.exe	rem.exe
PID 880 wrote to memory of 1764	880	rem.exe	rem.exe
PID 880 wrote to memory of 1764	880	rem.exe	rem.exe

C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOTbmoGKVPV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71C6.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:876
- C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOTbmoGKVPV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7465.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:764
      - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
        6⤵
        Executes dropped EXE
        
        PID:1392
      - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
        6⤵
        Executes dropped EXE
        
        PID:1696
      - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
        6⤵
        Executes dropped EXE
        
        PID:1356
      - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
        6⤵
        Executes dropped EXE
        
        PID:1764
      - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
        6⤵
        Executes dropped EXE
        
        PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
ee6a60642b38818164df4cc6559b10e1

SHA1
896228860c3c87913c136ac5381732055bd7c683

SHA256
6b8f524f0c489f90c21422804ff6da3729d9f38cdaf99abd83302c856badd478

SHA512
a507173b14f0fe59f4a9d993b7afb1eb66a696a149d22ff3d15b7013977b5a1302ad4f578a28e22d1960c8b793d9f7952ce64e3f9d2c4a056cabce97d69baad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp71C6.tmp

MD5
209f8664311ad0141ea1305caa01b649

SHA1
cbaf6c15b51abef012f647f8cc7c923ffc747f68

SHA256
8b700f9028134f8ce993e67d4ff9af17c90a6c28dbbeabe42e2c72d683cef3a0

SHA512
66413c125422f2995a4fa7d0b3e59f25f271c9313b899505a812da9ae2753c8afedca4541a974e8f69bad9b3d57646be2510345b62c949853b62294aa6111bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7465.tmp

MD5
209f8664311ad0141ea1305caa01b649

SHA1
cbaf6c15b51abef012f647f8cc7c923ffc747f68

SHA256
8b700f9028134f8ce993e67d4ff9af17c90a6c28dbbeabe42e2c72d683cef3a0

SHA512
66413c125422f2995a4fa7d0b3e59f25f271c9313b899505a812da9ae2753c8afedca4541a974e8f69bad9b3d57646be2510345b62c949853b62294aa6111bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
memory/544-74-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/544-68-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/544-69-0x000000000042F075-mapping.dmp

Download
memory/544-70-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/764-86-0x0000000000000000-mapping.dmp

Download
memory/876-66-0x0000000000000000-mapping.dmp

Download
memory/880-78-0x0000000000000000-mapping.dmp

Download
memory/880-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/880-82-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/984-75-0x0000000000000000-mapping.dmp

Download
memory/1644-71-0x0000000000000000-mapping.dmp

Download
memory/1652-60-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1652-65-0x0000000005F90000-0x000000000600A000-memory.dmp

Filesize
488KB

Download
memory/1652-64-0x00000000080F0000-0x00000000081AF000-memory.dmp

Filesize
764KB

Download
memory/1652-63-0x00000000003C0000-0x00000000003DB000-memory.dmp

Filesize
108KB

Download
memory/1652-62-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download