remcos | 58cdfe26cdb404c5dc2eef57366c8d0d10e4b2176d3a1973115b78c9981081bf

Analysis

max time kernel
300s
max time network
302s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-10-2021 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PRODUCT ENQUIRY #20211030.exe
Size

1.6MB
MD5

d4ab0233615eac735996a239124e9dbe
SHA1

eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256

396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512

446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Score

10^/10

remcos tmt stub agilenet persistence rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

TMT stub

185.140.53.178:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-9B7MHK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\MAINPROC.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

MAINPROC.exeMAINPROC.exeSMSS.exeSMSS.exe

pid process

1816 MAINPROC.exe
972 MAINPROC.exe
1436 SMSS.exe
900 SMSS.exe
Loads dropped DLL 3 IoCs

Processes:

PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exe

pid process

960 PRODUCT ENQUIRY #20211030.exe
1816 MAINPROC.exe
1436 SMSS.exe

pid	process
1816	MAINPROC.exe
972	MAINPROC.exe
1436	SMSS.exe
900	SMSS.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/960-57-0x00000000020A0000-0x00000000020C1000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

MAINPROC.exe

description pid process target process

PID 1816 set thread context of 972 1816 MAINPROC.exe MAINPROC.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1816 set thread context of 972	1816	MAINPROC.exe	MAINPROC.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exeSMSS.exe

pid	process
960	PRODUCT ENQUIRY #20211030.exe
960	PRODUCT ENQUIRY #20211030.exe
960	PRODUCT ENQUIRY #20211030.exe
1816	MAINPROC.exe
1816	MAINPROC.exe
1816	MAINPROC.exe
1436	SMSS.exe
900	SMSS.exe
900	SMSS.exe
900	SMSS.exe
1816	MAINPROC.exe
1816	MAINPROC.exe
1816	MAINPROC.exe
1816	MAINPROC.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exeSMSS.exe

description	pid	process
Token: SeDebugPrivilege	960	PRODUCT ENQUIRY #20211030.exe
Token: SeDebugPrivilege	1816	MAINPROC.exe
Token: SeDebugPrivilege	1436	SMSS.exe
Token: SeDebugPrivilege	900	SMSS.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

PRODUCT ENQUIRY #20211030.execmd.exeMAINPROC.exeSMSS.exe

description	pid	process	target process
PID 960 wrote to memory of 816	960	PRODUCT ENQUIRY #20211030.exe	cmd.exe
PID 960 wrote to memory of 816	960	PRODUCT ENQUIRY #20211030.exe	cmd.exe
PID 960 wrote to memory of 816	960	PRODUCT ENQUIRY #20211030.exe	cmd.exe
PID 960 wrote to memory of 816	960	PRODUCT ENQUIRY #20211030.exe	cmd.exe
PID 816 wrote to memory of 676	816	cmd.exe	reg.exe
PID 816 wrote to memory of 676	816	cmd.exe	reg.exe
PID 816 wrote to memory of 676	816	cmd.exe	reg.exe
PID 816 wrote to memory of 676	816	cmd.exe	reg.exe
PID 960 wrote to memory of 1816	960	PRODUCT ENQUIRY #20211030.exe	MAINPROC.exe
PID 960 wrote to memory of 1816	960	PRODUCT ENQUIRY #20211030.exe	MAINPROC.exe
PID 960 wrote to memory of 1816	960	PRODUCT ENQUIRY #20211030.exe	MAINPROC.exe
PID 960 wrote to memory of 1816	960	PRODUCT ENQUIRY #20211030.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 972	1816	MAINPROC.exe	MAINPROC.exe
PID 1816 wrote to memory of 1436	1816	MAINPROC.exe	SMSS.exe
PID 1816 wrote to memory of 1436	1816	MAINPROC.exe	SMSS.exe
PID 1816 wrote to memory of 1436	1816	MAINPROC.exe	SMSS.exe
PID 1816 wrote to memory of 1436	1816	MAINPROC.exe	SMSS.exe
PID 1436 wrote to memory of 900	1436	SMSS.exe	SMSS.exe
PID 1436 wrote to memory of 900	1436	SMSS.exe	SMSS.exe
PID 1436 wrote to memory of 900	1436	SMSS.exe	SMSS.exe
PID 1436 wrote to memory of 900	1436	SMSS.exe	SMSS.exe

C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY #20211030.exe
"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY #20211030.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
3⤵
- Modifies WinLogon for persistence
PID:676

C:\Users\Admin\AppData\Roaming\MAINPROC.exe
"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\MAINPROC.exe
"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"
3⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Local\Temp\SMSS.exe
"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\SMSS.exe
"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SMSS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.txt
MD5
1b5d3a910873ef9e6177aa5154ae2778

SHA1
a2faabcdd9e4476f5b38ca53bf629114bff2e85f

SHA256
7fdc9a77a4569e4af83ef4b33a5c73d9c55ee445785cdd7904a7ac6c8138a967

SHA512
81ddb517292caa5b2bfd44366ea37900c6ff776a1c875ad405d7bd2a29f8ec1e1505afb23546d6e7e2f94f6fbb6e1dc9a01a70665d89bffb99c4d3f65313289e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.txt
MD5
e47a228c7ebbb7290eecad3cffaa85fc

SHA1
2df385d0fa9c37c898aab965bd0be90239d14a29

SHA256
4e2ca9ce7dc3b1051225cbed0db1032aa3f3eef09450a11a01015d9d1a834eaf

SHA512
f6da5efe5c7b7d544fbb52116d86fb5e1e4983bfbf42558209f8c75584dfc8b128c8d75fd9228e8edd93158533d478c2cb9ed288a2aed0d373d62402abe4add8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.txt
MD5
e47a228c7ebbb7290eecad3cffaa85fc

SHA1
2df385d0fa9c37c898aab965bd0be90239d14a29

SHA256
4e2ca9ce7dc3b1051225cbed0db1032aa3f3eef09450a11a01015d9d1a834eaf

SHA512
f6da5efe5c7b7d544fbb52116d86fb5e1e4983bfbf42558209f8c75584dfc8b128c8d75fd9228e8edd93158533d478c2cb9ed288a2aed0d373d62402abe4add8

Download Submit
C:\Users\Admin\AppData\Roaming\MAINPROC.exe
MD5
d4ab0233615eac735996a239124e9dbe

SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c

SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9

SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Download Submit
C:\Users\Admin\AppData\Roaming\MAINPROC.exe
MD5
d4ab0233615eac735996a239124e9dbe

SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c

SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9

SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Download Submit
C:\Users\Admin\AppData\Roaming\MAINPROC.exe
MD5
d4ab0233615eac735996a239124e9dbe

SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c

SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9

SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Download Submit
\Users\Admin\AppData\Local\Temp\SMSS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\SMSS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\MAINPROC.exe
MD5
d4ab0233615eac735996a239124e9dbe

SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c

SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9

SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Download Submit
memory/676-60-0x0000000000000000-mapping.dmp

Download
memory/816-59-0x0000000000000000-mapping.dmp

Download
memory/900-92-0x0000000000000000-mapping.dmp

Download
memory/960-56-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/960-57-0x00000000020A0000-0x00000000020C1000-memory.dmp

Filesize
132KB

Download
memory/960-58-0x0000000004A11000-0x0000000004A12000-memory.dmp

Filesize
4KB

Download
memory/960-54-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/972-77-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-76-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-78-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-79-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-80-0x000000000042FC39-mapping.dmp

Download
memory/972-75-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-82-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/972-83-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-74-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-73-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-72-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/972-71-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1436-88-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1436-85-0x0000000000000000-mapping.dmp

Download
memory/1816-65-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1816-62-0x0000000000000000-mapping.dmp

Download
memory/1816-70-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1816-69-0x0000000000A30000-0x0000000000A3B000-memory.dmp

Filesize
44KB

Download
memory/1816-67-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download