remcos | 58cdfe26cdb404c5dc2eef57366c8d0d10e4b2176d3a1973115b78c9981081bf

Analysis

max time kernel
299s
max time network
302s
platform
windows10_x64
resource
win10-en-20211014
submitted
30-10-2021 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PRODUCT ENQUIRY #20211030.exe
Size

1.6MB
MD5

d4ab0233615eac735996a239124e9dbe
SHA1

eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256

396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512

446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Score

10^/10

remcos tmt stub agilenet persistence rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

TMT stub

185.140.53.178:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-9B7MHK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\MAINPROC.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

MAINPROC.exeMAINPROC.exeSMSS.exeSMSS.exe

pid process

4360 MAINPROC.exe
1732 MAINPROC.exe
2056 SMSS.exe
2764 SMSS.exe

pid	process
4360	MAINPROC.exe
1732	MAINPROC.exe
2056	SMSS.exe
2764	SMSS.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4388-122-0x0000000006900000-0x0000000006921000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

MAINPROC.exe

description pid process target process

PID 4360 set thread context of 1732 4360 MAINPROC.exe MAINPROC.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4360 set thread context of 1732	4360	MAINPROC.exe	MAINPROC.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exeSMSS.exe

pid	process
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4388	PRODUCT ENQUIRY #20211030.exe
4360	MAINPROC.exe
4360	MAINPROC.exe
4360	MAINPROC.exe
4360	MAINPROC.exe
2056	SMSS.exe
2764	SMSS.exe
2764	SMSS.exe
2764	SMSS.exe
4360	MAINPROC.exe
4360	MAINPROC.exe
4360	MAINPROC.exe
4360	MAINPROC.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exeSMSS.exe

description	pid	process
Token: SeDebugPrivilege	4388	PRODUCT ENQUIRY #20211030.exe
Token: SeDebugPrivilege	4360	MAINPROC.exe
Token: SeDebugPrivilege	2056	SMSS.exe
Token: SeDebugPrivilege	2764	SMSS.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

PRODUCT ENQUIRY #20211030.execmd.exeMAINPROC.exeSMSS.exe

description	pid	process	target process
PID 4388 wrote to memory of 4444	4388	PRODUCT ENQUIRY #20211030.exe	cmd.exe
PID 4388 wrote to memory of 4444	4388	PRODUCT ENQUIRY #20211030.exe	cmd.exe
PID 4388 wrote to memory of 4444	4388	PRODUCT ENQUIRY #20211030.exe	cmd.exe
PID 4444 wrote to memory of 4436	4444	cmd.exe	reg.exe
PID 4444 wrote to memory of 4436	4444	cmd.exe	reg.exe
PID 4444 wrote to memory of 4436	4444	cmd.exe	reg.exe
PID 4388 wrote to memory of 4360	4388	PRODUCT ENQUIRY #20211030.exe	MAINPROC.exe
PID 4388 wrote to memory of 4360	4388	PRODUCT ENQUIRY #20211030.exe	MAINPROC.exe
PID 4388 wrote to memory of 4360	4388	PRODUCT ENQUIRY #20211030.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 1732	4360	MAINPROC.exe	MAINPROC.exe
PID 4360 wrote to memory of 2056	4360	MAINPROC.exe	SMSS.exe
PID 4360 wrote to memory of 2056	4360	MAINPROC.exe	SMSS.exe
PID 4360 wrote to memory of 2056	4360	MAINPROC.exe	SMSS.exe
PID 2056 wrote to memory of 2764	2056	SMSS.exe	SMSS.exe
PID 2056 wrote to memory of 2764	2056	SMSS.exe	SMSS.exe
PID 2056 wrote to memory of 2764	2056	SMSS.exe	SMSS.exe

C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY #20211030.exe
"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY #20211030.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
3⤵
- Modifies WinLogon for persistence
PID:4436

C:\Users\Admin\AppData\Roaming\MAINPROC.exe
"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Roaming\MAINPROC.exe
"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"
3⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\AppData\Local\Temp\SMSS.exe
"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\SMSS.exe
"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SMSS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.txt
MD5
2cc01c6c43c8be64782188dbdf80db9f

SHA1
fddff8acdfe4d4c9e38caa2ebe8b4614e73257fc

SHA256
db4a8da7ba601edf9201cf3659a2292edbaa48ae7436fa20716f07b409667d84

SHA512
bd23aa6267bd95899c22f3feb650053e1d0f4678023e6235f6717ed7ac5d4bfbb752b87b659cfdcac037e572ed3fff15682ce4dd2119192b9ee8118bb7d494df

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.txt
MD5
758b7631385bd96fbc2213656fb92f2d

SHA1
d54e3eace7d6392929b3a3070b29058b24c9e9a1

SHA256
723a564b48d90c9931161e44d56b9e2102f88b7299cda66d0abfe8798d6d6909

SHA512
c6c221eb7d05c0e692e77b1e88ca8ba40b194292037ac0a9ac8a30dc1651ab596cb6fe37cb5b8b087da093a9eca9aa196150c62465c56edb3076ee18413a10a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSS.txt
MD5
f9ad8270c8a348da7c35d81709bf811e

SHA1
9fef1c8bdabf9b36b530f16f1a04e57c7b38d14f

SHA256
57e652bcdc6aa0fa6faab7b6ca66c13b504234e533a8a4c0c67ddf29d5c5e27f

SHA512
b6ca32a956b1c8999b4a2fa22f6ccf462b28c63c258a4b5ca3903e8f069cc3645d775243822ce73b8c78effbfefd5a609873e940c37176e6a91c45b3df5e5416

Download Submit
C:\Users\Admin\AppData\Roaming\MAINPROC.exe
MD5
d4ab0233615eac735996a239124e9dbe

SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c

SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9

SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Download Submit
C:\Users\Admin\AppData\Roaming\MAINPROC.exe
MD5
d4ab0233615eac735996a239124e9dbe

SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c

SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9

SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Download Submit
C:\Users\Admin\AppData\Roaming\MAINPROC.exe
MD5
d4ab0233615eac735996a239124e9dbe

SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c

SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9

SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062

Download Submit
memory/1732-144-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1732-147-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1732-145-0x000000000042FC39-mapping.dmp

Download
memory/2056-151-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2056-148-0x0000000000000000-mapping.dmp

Download
memory/2764-155-0x0000000000000000-mapping.dmp

Download
memory/4360-141-0x0000000005BD1000-0x0000000005BD2000-memory.dmp

Filesize
4KB

Download
memory/4360-128-0x0000000000000000-mapping.dmp

Download
memory/4360-142-0x0000000007480000-0x000000000748B000-memory.dmp

Filesize
44KB

Download
memory/4360-143-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/4360-140-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/4388-124-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download
memory/4388-127-0x0000000005D91000-0x0000000005D92000-memory.dmp

Filesize
4KB

Download
memory/4388-115-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4388-123-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/4388-122-0x0000000006900000-0x0000000006921000-memory.dmp

Filesize
132KB

Download
memory/4388-121-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/4388-120-0x0000000005C90000-0x0000000005C91000-memory.dmp

Filesize
4KB

Download
memory/4388-119-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/4388-118-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4388-117-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4436-126-0x0000000000000000-mapping.dmp

Download
memory/4444-125-0x0000000000000000-mapping.dmp

Download