remcos | e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

Analysis

max time kernel
149s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
22-09-2021 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
Size

1.1MB
MD5

8a13608bb749ecaead86683f640007ef
SHA1

c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d
SHA256

e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732
SHA512

adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Score

10^/10

remcos remotehost persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

103.156.92.178:7006

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
windows.exe
copy_folder
task manager
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
AppData-XFQ8F4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Windows update
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 7 IoCs

Processes:

windows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exe

pid process

2872 windows.exe
1792 windows.exe
2640 windows.exe
1172 windows.exe
3828 windows.exe
2260 windows.exe
2540 windows.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

3580 WScript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3580	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exeAW QUOTE 21505 HQ1-Scan-068703_PDF.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows update = "\"C:\\Users\\Admin\\AppData\\Roaming\\task manager\\windows.exe\""	windows.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows update = "\"C:\\Users\\Admin\\AppData\\Roaming\\task manager\\windows.exe\""	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

AW QUOTE 21505 HQ1-Scan-068703_PDF.exewindows.exewindows.exe

description	pid	process	target process
PID 664 set thread context of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 2872 set thread context of 1172	2872	windows.exe	windows.exe
PID 1172 set thread context of 3828	1172	windows.exe	windows.exe
PID 1172 set thread context of 2260	1172	windows.exe	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

AW QUOTE 21505 HQ1-Scan-068703_PDF.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

windows.exewindows.exewindows.exe

pid	process
2872	windows.exe
2872	windows.exe
2872	windows.exe
2872	windows.exe
3828	windows.exe
3828	windows.exe
2260	windows.exe
2260	windows.exe
3828	windows.exe
3828	windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

windows.exewindows.exe

description pid process

Token: SeDebugPrivilege 2872 windows.exe
Token: SeDebugPrivilege 2260 windows.exe

description	pid	process
Token: SeDebugPrivilege	2872	windows.exe
Token: SeDebugPrivilege	2260	windows.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

AW QUOTE 21505 HQ1-Scan-068703_PDF.exeAW QUOTE 21505 HQ1-Scan-068703_PDF.exeWScript.execmd.exewindows.exewindows.exe

description	pid	process	target process
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 664 wrote to memory of 492	664	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 492 wrote to memory of 3580	492	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	WScript.exe
PID 492 wrote to memory of 3580	492	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	WScript.exe
PID 492 wrote to memory of 3580	492	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	WScript.exe
PID 3580 wrote to memory of 496	3580	WScript.exe	cmd.exe
PID 3580 wrote to memory of 496	3580	WScript.exe	cmd.exe
PID 3580 wrote to memory of 496	3580	WScript.exe	cmd.exe
PID 496 wrote to memory of 2872	496	cmd.exe	windows.exe
PID 496 wrote to memory of 2872	496	cmd.exe	windows.exe
PID 496 wrote to memory of 2872	496	cmd.exe	windows.exe
PID 2872 wrote to memory of 1792	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1792	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1792	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 2640	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 2640	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 2640	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 2872 wrote to memory of 1172	2872	windows.exe	windows.exe
PID 1172 wrote to memory of 1304	1172	windows.exe	iexplore.exe
PID 1172 wrote to memory of 1304	1172	windows.exe	iexplore.exe
PID 1172 wrote to memory of 1104	1172	windows.exe	svchost.exe
PID 1172 wrote to memory of 1104	1172	windows.exe	svchost.exe
PID 1172 wrote to memory of 1104	1172	windows.exe	svchost.exe
PID 1172 wrote to memory of 3828	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 3828	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 3828	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 3828	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 3828	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 3828	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 3828	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 3828	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2260	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2260	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2260	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2260	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2260	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2260	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2260	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2260	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2540	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2540	1172	windows.exe	windows.exe
PID 1172 wrote to memory of 2540	1172	windows.exe	windows.exe

C:\Users\Admin\AppData\Local\Temp\AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\AW QUOTE 21505 HQ1-Scan-068703_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
"{path}"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\task manager\windows.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\AppData\Roaming\task manager\windows.exe
"C:\Users\Admin\AppData\Roaming\task manager\windows.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Roaming\task manager\windows.exe
"{path}"
6⤵
- Executes dropped EXE
PID:1792

C:\Users\Admin\AppData\Roaming\task manager\windows.exe
"{path}"
6⤵
- Executes dropped EXE
PID:2640

C:\Users\Admin\AppData\Roaming\task manager\windows.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172

\??\c:\program files\internet explorer\iexplore.exe
"c:\program files\internet explorer\iexplore.exe"
7⤵
PID:1304

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1104

C:\Users\Admin\AppData\Roaming\task manager\windows.exe
"C:\Users\Admin\AppData\Roaming\task manager\windows.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yclybenhlsy"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Users\Admin\AppData\Roaming\task manager\windows.exe
"C:\Users\Admin\AppData\Roaming\task manager\windows.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ieqrboybhbqkll"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Users\Admin\AppData\Roaming\task manager\windows.exe
"C:\Users\Admin\AppData\Roaming\task manager\windows.exe" /stext "C:\Users\Admin\AppData\Local\Temp\syebuhjdvjipwzgevk"
7⤵
- Executes dropped EXE
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
631dbf620f0baf84cb6f65188a82f684

SHA1
c19a72c768f5850df304f8f2c83e8fcb86e400e9

SHA256
52ae78f718ed72d0f4abb53023913f2ef6a89fc282d7efb93700723b8a62ee46

SHA512
c4f242cc1106bdf74a2f596dd36c4728c3bdb9e7352451c38e5d51a32c33a7b845e8bc49110ea15d8861e6c66cb79631276b40aaf41ee2e439c378ae88b6e69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yclybenhlsy
MD5
97df504bfd2bd5a506e650b791508181

SHA1
fcbe623c69e21332ba3b657fb8e08f1a3136479d

SHA256
cac37437a8df8dec72c830a034dec8962357a5e41545c8cdd3e3529f3007fb6b

SHA512
63d93900a51ccdf51215c57527af84c0f79ffa82f1463c851e6d765f91c1a4be624190b335e46debc8a1c63bc06dec885207c92e4d44a815fdf0d42f8dd6fd81

Download Submit
C:\Users\Admin\AppData\Roaming\task manager\windows.exe
MD5
8a13608bb749ecaead86683f640007ef

SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Download Submit
C:\Users\Admin\AppData\Roaming\task manager\windows.exe
MD5
8a13608bb749ecaead86683f640007ef

SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Download Submit
C:\Users\Admin\AppData\Roaming\task manager\windows.exe
MD5
8a13608bb749ecaead86683f640007ef

SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Download Submit
C:\Users\Admin\AppData\Roaming\task manager\windows.exe
MD5
8a13608bb749ecaead86683f640007ef

SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Download Submit
C:\Users\Admin\AppData\Roaming\task manager\windows.exe
MD5
8a13608bb749ecaead86683f640007ef

SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Download Submit
C:\Users\Admin\AppData\Roaming\task manager\windows.exe
MD5
8a13608bb749ecaead86683f640007ef

SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Download Submit
C:\Users\Admin\AppData\Roaming\task manager\windows.exe
MD5
8a13608bb749ecaead86683f640007ef

SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Download Submit
C:\Users\Admin\AppData\Roaming\task manager\windows.exe
MD5
8a13608bb749ecaead86683f640007ef

SHA1
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

SHA256
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

SHA512
adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

Download Submit
memory/492-126-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/492-127-0x000000000042F71D-mapping.dmp

Download
memory/492-128-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/496-131-0x0000000000000000-mapping.dmp

Download
memory/664-124-0x0000000008FC0000-0x0000000009078000-memory.dmp

Filesize
736KB

Download
memory/664-119-0x0000000002CA0000-0x0000000002D3C000-memory.dmp

Filesize
624KB

Download
memory/664-125-0x0000000009080000-0x00000000090F5000-memory.dmp

Filesize
468KB

Download
memory/664-116-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/664-123-0x000000007ECD0000-0x000000007ECD1000-memory.dmp

Filesize
4KB

Download
memory/664-117-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/664-118-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/664-122-0x0000000008A60000-0x0000000008A6E000-memory.dmp

Filesize
56KB

Download
memory/664-121-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/664-120-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/1172-150-0x000000000042F71D-mapping.dmp

Download
memory/1172-152-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2260-156-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2260-157-0x0000000000422206-mapping.dmp

Download
memory/2260-161-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2872-144-0x000000007E560000-0x000000007E561000-memory.dmp

Filesize
4KB

Download
memory/2872-142-0x0000000004900000-0x000000000499C000-memory.dmp

Filesize
624KB

Download
memory/2872-132-0x0000000000000000-mapping.dmp

Download
memory/3580-129-0x0000000000000000-mapping.dmp

Download
memory/3828-153-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3828-154-0x0000000000476274-mapping.dmp

Download
memory/3828-160-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

pid	process
2872	windows.exe
1792	windows.exe
2640	windows.exe
1172	windows.exe
3828	windows.exe
2260	windows.exe
2540	windows.exe