remcos | 12e45d9842e64a393cd24914d38dbcaa2f5aad6ddcd8b7e3215ec29af274a88f

General

Target

Payment_Advice.exe
Size

1.4MB
MD5

90d299316fdd9e9131b1316f8c05a7c2
SHA1

d7728c0d419b36b00f02bd470034d00bcb9f3564
SHA256

5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee
SHA512

ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Score

10^/10

remcos sa persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

SA

C2

ego.ddns.net:2404

chasesure.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
rem.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-6KPFIK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

rem.exerem.exe

pid process

820 rem.exe
872 rem.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
820	rem.exe
872	rem.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payment_Advice.exerem.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Payment_Advice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\rem.exe\""	Payment_Advice.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	rem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\rem.exe\""	rem.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Payment_Advice.exerem.exe

description	pid	process	target process
PID 516 set thread context of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 820 set thread context of 872	820	rem.exe	rem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3312 schtasks.exe
3976 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Payment_Advice.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Payment_Advice.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rem.exe

pid process

872 rem.exe

pid	process
3312	schtasks.exe
3976	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Payment_Advice.exe

pid	process
872	rem.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Payment_Advice.exePayment_Advice.exeWScript.execmd.exerem.exe

description	pid	process	target process
PID 516 wrote to memory of 3312	516	Payment_Advice.exe	schtasks.exe
PID 516 wrote to memory of 3312	516	Payment_Advice.exe	schtasks.exe
PID 516 wrote to memory of 3312	516	Payment_Advice.exe	schtasks.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 516 wrote to memory of 3468	516	Payment_Advice.exe	Payment_Advice.exe
PID 3468 wrote to memory of 4084	3468	Payment_Advice.exe	WScript.exe
PID 3468 wrote to memory of 4084	3468	Payment_Advice.exe	WScript.exe
PID 3468 wrote to memory of 4084	3468	Payment_Advice.exe	WScript.exe
PID 4084 wrote to memory of 4004	4084	WScript.exe	cmd.exe
PID 4084 wrote to memory of 4004	4084	WScript.exe	cmd.exe
PID 4084 wrote to memory of 4004	4084	WScript.exe	cmd.exe
PID 4004 wrote to memory of 820	4004	cmd.exe	rem.exe
PID 4004 wrote to memory of 820	4004	cmd.exe	rem.exe
PID 4004 wrote to memory of 820	4004	cmd.exe	rem.exe
PID 820 wrote to memory of 3976	820	rem.exe	schtasks.exe
PID 820 wrote to memory of 3976	820	rem.exe	schtasks.exe
PID 820 wrote to memory of 3976	820	rem.exe	schtasks.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe
PID 820 wrote to memory of 872	820	rem.exe	rem.exe

C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOTbmoGKVPV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6C57.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOTbmoGKVPV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D70.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:3976
      - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
ee6a60642b38818164df4cc6559b10e1

SHA1
896228860c3c87913c136ac5381732055bd7c683

SHA256
6b8f524f0c489f90c21422804ff6da3729d9f38cdaf99abd83302c856badd478

SHA512
a507173b14f0fe59f4a9d993b7afb1eb66a696a149d22ff3d15b7013977b5a1302ad4f578a28e22d1960c8b793d9f7952ce64e3f9d2c4a056cabce97d69baad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D70.tmp

MD5
559c35dc8db3867ef13927d82cdeb345

SHA1
3f03ca5ebde82493b5c6d5659cb654746c305d92

SHA256
932fe9fa2df79594c47bebd1536aeed284465c55f43b35753e098dce596189ef

SHA512
7b29241a9de265c1e1f29e7e6a691cc9ccf083faf96df057b79e2187aed44a8f24e1aad9e5afc0677f70f110720164b3a97043b78090630bd25ae1324aeace5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C57.tmp

MD5
559c35dc8db3867ef13927d82cdeb345

SHA1
3f03ca5ebde82493b5c6d5659cb654746c305d92

SHA256
932fe9fa2df79594c47bebd1536aeed284465c55f43b35753e098dce596189ef

SHA512
7b29241a9de265c1e1f29e7e6a691cc9ccf083faf96df057b79e2187aed44a8f24e1aad9e5afc0677f70f110720164b3a97043b78090630bd25ae1324aeace5d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
memory/516-119-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/516-122-0x0000000005060000-0x000000000507B000-memory.dmp

Filesize
108KB

Download
memory/516-123-0x00000000084C0000-0x000000000857F000-memory.dmp

Filesize
764KB

Download
memory/516-124-0x0000000008580000-0x00000000085FA000-memory.dmp

Filesize
488KB

Download
memory/516-121-0x0000000004A60000-0x0000000004AFC000-memory.dmp

Filesize
624KB

Download
memory/516-120-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/516-118-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/516-117-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/516-116-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/516-114-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/820-133-0x0000000000000000-mapping.dmp

Download
memory/820-143-0x0000000004B50000-0x000000000504E000-memory.dmp

Filesize
5.0MB

Download
memory/872-150-0x000000000042F075-mapping.dmp

Download
memory/872-152-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3312-125-0x0000000000000000-mapping.dmp

Download
memory/3468-130-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3468-128-0x000000000042F075-mapping.dmp

Download
memory/3468-127-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3976-147-0x0000000000000000-mapping.dmp

Download
memory/4004-132-0x0000000000000000-mapping.dmp

Download
memory/4084-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads