remcos | 5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

General

Target

Payment_Advice.exe
Size

1.4MB
MD5

90d299316fdd9e9131b1316f8c05a7c2
SHA1

d7728c0d419b36b00f02bd470034d00bcb9f3564
SHA256

5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee
SHA512

ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Score

10^/10

remcos sa persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

SA

C2

ego.ddns.net:2404

chasesure.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
rem.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-6KPFIK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

rem.exerem.exe

pid process

464 rem.exe
1348 rem.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

684 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
464	rem.exe
1348	rem.exe

pid	process
684	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rem.exePayment_Advice.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\rem.exe\""	rem.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Payment_Advice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\rem.exe\""	Payment_Advice.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	rem.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Payment_Advice.exerem.exe

description	pid	process	target process
PID 1640 set thread context of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 464 set thread context of 1348	464	rem.exe	rem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1788 schtasks.exe
1972 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rem.exe

pid process

1348 rem.exe

pid	process
1788	schtasks.exe
1972	schtasks.exe

pid	process
1348	rem.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

Payment_Advice.exePayment_Advice.exeWScript.execmd.exerem.exe

description	pid	process	target process
PID 1640 wrote to memory of 1788	1640	Payment_Advice.exe	schtasks.exe
PID 1640 wrote to memory of 1788	1640	Payment_Advice.exe	schtasks.exe
PID 1640 wrote to memory of 1788	1640	Payment_Advice.exe	schtasks.exe
PID 1640 wrote to memory of 1788	1640	Payment_Advice.exe	schtasks.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 1640 wrote to memory of 812	1640	Payment_Advice.exe	Payment_Advice.exe
PID 812 wrote to memory of 632	812	Payment_Advice.exe	WScript.exe
PID 812 wrote to memory of 632	812	Payment_Advice.exe	WScript.exe
PID 812 wrote to memory of 632	812	Payment_Advice.exe	WScript.exe
PID 812 wrote to memory of 632	812	Payment_Advice.exe	WScript.exe
PID 632 wrote to memory of 684	632	WScript.exe	cmd.exe
PID 632 wrote to memory of 684	632	WScript.exe	cmd.exe
PID 632 wrote to memory of 684	632	WScript.exe	cmd.exe
PID 632 wrote to memory of 684	632	WScript.exe	cmd.exe
PID 684 wrote to memory of 464	684	cmd.exe	rem.exe
PID 684 wrote to memory of 464	684	cmd.exe	rem.exe
PID 684 wrote to memory of 464	684	cmd.exe	rem.exe
PID 684 wrote to memory of 464	684	cmd.exe	rem.exe
PID 464 wrote to memory of 1972	464	rem.exe	schtasks.exe
PID 464 wrote to memory of 1972	464	rem.exe	schtasks.exe
PID 464 wrote to memory of 1972	464	rem.exe	schtasks.exe
PID 464 wrote to memory of 1972	464	rem.exe	schtasks.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe
PID 464 wrote to memory of 1348	464	rem.exe	rem.exe

C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOTbmoGKVPV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1F82.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOTbmoGKVPV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:1972
      - C:\Users\Admin\AppData\Roaming\Remcos\rem.exe
        
        "C:\Users\Admin\AppData\Roaming\Remcos\rem.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
ee6a60642b38818164df4cc6559b10e1

SHA1
896228860c3c87913c136ac5381732055bd7c683

SHA256
6b8f524f0c489f90c21422804ff6da3729d9f38cdaf99abd83302c856badd478

SHA512
a507173b14f0fe59f4a9d993b7afb1eb66a696a149d22ff3d15b7013977b5a1302ad4f578a28e22d1960c8b793d9f7952ce64e3f9d2c4a056cabce97d69baad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp

MD5
7ce9fb4b121207920d815748dbf9af64

SHA1
99ba71ca410a629766f95cec7325af8c6cd8134d

SHA256
3f524181bff70ed7e1b8aca44d1604e2e9d9310635ab966169c78c4117f1e5b3

SHA512
b96d07fcb625a2a305e9789cd5f99fd40ebe682f09b24822a277e48a2e5381d0814661b1a1177fe5a905985541305011a3468c61b1962b5589999fbaec8a4524

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F82.tmp

MD5
7ce9fb4b121207920d815748dbf9af64

SHA1
99ba71ca410a629766f95cec7325af8c6cd8134d

SHA256
3f524181bff70ed7e1b8aca44d1604e2e9d9310635ab966169c78c4117f1e5b3

SHA512
b96d07fcb625a2a305e9789cd5f99fd40ebe682f09b24822a277e48a2e5381d0814661b1a1177fe5a905985541305011a3468c61b1962b5589999fbaec8a4524

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
\Users\Admin\AppData\Roaming\Remcos\rem.exe

MD5
90d299316fdd9e9131b1316f8c05a7c2

SHA1
d7728c0d419b36b00f02bd470034d00bcb9f3564

SHA256
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee

SHA512
ed6745baa0074c969df3b33f758418192438e42024a6ea34e7a05260ea5ff0607343c241f2e8e038a3489b9b20a27d0ad4dbe5658760b9ec7f7544489b18b2ab

Download Submit
memory/464-81-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/464-79-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/464-77-0x0000000000000000-mapping.dmp

Download
memory/632-71-0x0000000000000000-mapping.dmp

Download
memory/684-74-0x0000000000000000-mapping.dmp

Download
memory/812-68-0x000000000042F075-mapping.dmp

Download
memory/812-70-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/812-69-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/812-67-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1348-91-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1348-88-0x000000000042F075-mapping.dmp

Download
memory/1640-64-0x0000000007F90000-0x000000000800A000-memory.dmp

Filesize
488KB

Download
memory/1640-63-0x0000000007ED0000-0x0000000007F8F000-memory.dmp

Filesize
764KB

Download
memory/1640-59-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1640-61-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1640-62-0x0000000000580000-0x000000000059B000-memory.dmp

Filesize
108KB

Download
memory/1788-65-0x0000000000000000-mapping.dmp

Download
memory/1972-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads