remcos | 87c3d0e1727010e32ebc927d61ae6f4b0df6031af616a56a459899478e719c15

General

Target

fb.exe
Size

1.1MB
MD5

4501de26ee17fce29827b6770c136a99
SHA1

b216aa4742e7a7705d8a217e25627f2ced78b48d
SHA256

87c3d0e1727010e32ebc927d61ae6f4b0df6031af616a56a459899478e719c15
SHA512

e884d435c72899bf91a55533f6502faffb5a450c3ae695d08fd182cdfc0b90624595852aae1848abe06ed13f5943a9f5cf50d935972aad3ee0884cbc58fbbbfd

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

RemoteHost

C2

7980.duckdns.org:7980

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-CZYR8X
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 2 IoCs

Processes:

fb.exefb.exe

description pid process target process

PID 1652 set thread context of 1860 1652 fb.exe fb.exe
PID 1860 set thread context of 1508 1860 fb.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1692 schtasks.exe

description	pid	process	target process
PID 1652 set thread context of 1860	1652	fb.exe	fb.exe
PID 1860 set thread context of 1508	1860	fb.exe	iexplore.exe

pid	process
1692	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339862284"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D517731-22C1-11EC-BC8F-F6C7ED530D52} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ef16e7cdb6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f4b64ee93fa5144fb07ff7aa2e429a120000000002000000000010660000000100002000000008af3c13111409b543ecc50cdb1b41e894612898c48546ddc9e31a7af34bc9a3000000000e8000000002000020000000b92aea9f608a447c838438e314fee390e61ab409dd5d6d3ae609d41467072b2f900000009c320f25af1d7fa9731d88766aea5e8b2606b9ff411f21e3d6db0dd86cc3c28ccff54c726bce4499297422d9c6b277c19a830444aaad9541c4d375d65a3de5a8cb49c1b26f384d9283ab87dd1fcccc56de1001e45e1732f6f51075a1f73e183ec307ec674c1ccea4acd5de0811cb2eac5bae270e97c8ed1f7ca3c5af39a7da1b93c19db8064b1148da013f392d6c495e400000009475e9e33e4b2293a95221c4c432b75591b557adb4128c2490c5101d9eec54c12876daffdc7464b8b3ed95b4a186d5d5b06ff28298507c8b18113e3de1e6809b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f4b64ee93fa5144fb07ff7aa2e429a12000000000200000000001066000000010000200000004c4eac390a9a28fbbf8de17c67032f0b05f57318f0f7cc9d6729a651ef4570a0000000000e800000000200002000000020c671a479c7f656bf2124c0b3c1865e0b116a5ed7ec79d2235f481fe1a7634e200000003e5f75787d410ab7a430cbe59767ce4e85f5bdf9479c9354a54e373fc7c2641140000000aa82cd2f8a5b7796ae6e308a7fc99b7dab1b84574aa99518a6d2468255523a1d7f700bcc83a168d46b690d82eee14373bb436bd4a4cb34253d68618fd2e66891	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

fb.exe

pid process

1652 fb.exe
1652 fb.exe
1652 fb.exe
1652 fb.exe
1652 fb.exe
1652 fb.exe
1652 fb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fb.exe

description pid process

Token: SeDebugPrivilege 1652 fb.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1544 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1544 iexplore.exe
1544 iexplore.exe
1156 IEXPLORE.EXE
1156 IEXPLORE.EXE
1156 IEXPLORE.EXE
1156 IEXPLORE.EXE

pid	process
1652	fb.exe
1652	fb.exe
1652	fb.exe
1652	fb.exe
1652	fb.exe
1652	fb.exe
1652	fb.exe

description	pid	process
Token: SeDebugPrivilege	1652	fb.exe

pid	process
1544	iexplore.exe

pid	process
1544	iexplore.exe
1544	iexplore.exe
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

fb.exefb.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1652 wrote to memory of 1692	1652	fb.exe	schtasks.exe
PID 1652 wrote to memory of 1692	1652	fb.exe	schtasks.exe
PID 1652 wrote to memory of 1692	1652	fb.exe	schtasks.exe
PID 1652 wrote to memory of 1692	1652	fb.exe	schtasks.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1652 wrote to memory of 1860	1652	fb.exe	fb.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1860 wrote to memory of 1508	1860	fb.exe	iexplore.exe
PID 1508 wrote to memory of 1544	1508	iexplore.exe	iexplore.exe
PID 1508 wrote to memory of 1544	1508	iexplore.exe	iexplore.exe
PID 1508 wrote to memory of 1544	1508	iexplore.exe	iexplore.exe
PID 1508 wrote to memory of 1544	1508	iexplore.exe	iexplore.exe
PID 1544 wrote to memory of 1156	1544	iexplore.exe	IEXPLORE.EXE
PID 1544 wrote to memory of 1156	1544	iexplore.exe	IEXPLORE.EXE
PID 1544 wrote to memory of 1156	1544	iexplore.exe	IEXPLORE.EXE
PID 1544 wrote to memory of 1156	1544	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fb.exe
"C:\Users\Admin\AppData\Local\Temp\fb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgCgqUjvjHnPfq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5CF.tmp"
2⤵
- Creates scheduled task(s)
PID:1692

C:\Users\Admin\AppData\Local\Temp\fb.exe
"C:\Users\Admin\AppData\Local\Temp\fb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1860

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1544 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5178c0ca723052bd13a581956c3a1f4a

SHA1
0779bf721e47bb6e8a2c4f181a7b2969af635e61

SHA256
f78cbc84730fb5b84c715d0e0172510597cbc6327cb2a54ee4e4d506c3a6b7e0

SHA512
8f228696ca4d96af52242d90f6a3dbcb1af71eed9d1381e8ab323b97b1766a9e66e8ec8bf0c0fe22fcc25bf480daadd6df5bee7575fc30b1dc98c4fff2f6e4fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bq3gxmw\imagestore.dat
MD5
66423caba0389996ec469cdc6b210efe

SHA1
e59d32bb2f8d1ad2a141ce86f7e8289ab500b63f

SHA256
44226b785e78b6683e9cd2545bf3b6355abe33d0f7b44b0ab5d87a1af54caf9a

SHA512
081888c33f6b63d1f5465581c8559d3657c1ee1db7a3d09360957920e7f74723193d392ca0f0edc0e57e1067256f1abec5ce312a8a836b49d38406a98ec50184

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ABR1CNGF.txt
MD5
4dec40f3e9454d826f0dd776489dae54

SHA1
0daafd917091b1555ffbc5c0add60c95d175ed9c

SHA256
e2aa7457e46d31c9ad7c922963b5493db7ba9f56ff9d8f8d5faef644c6b4deb1

SHA512
1264f7d9892134e0d3fa546a5a747cf1ce4129d65b0fd635f096428ea4adb7fbc6fbe22bef003684c7dc3d28fef4ae2841a65daad2b5b64c81d96aef2cf2eb83

Download Submit
memory/1156-76-0x0000000000000000-mapping.dmp

Download
memory/1508-70-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1508-71-0x00000000004F434E-mapping.dmp

Download
memory/1544-75-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1544-74-0x0000000000000000-mapping.dmp

Download
memory/1652-65-0x0000000005DA0000-0x0000000005E18000-memory.dmp

Filesize
480KB

Download
memory/1652-60-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1652-64-0x0000000007F60000-0x0000000008008000-memory.dmp

Filesize
672KB

Download
memory/1652-63-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/1652-62-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1692-66-0x0000000000000000-mapping.dmp

Download
memory/1860-69-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1860-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1860-68-0x000000000042EEEF-mapping.dmp

Download
memory/1860-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads