remcos | 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81

General

Target

a603a8a69bbcd08f4899a605ab1c68e4.exe
Size

463KB
MD5

a603a8a69bbcd08f4899a605ab1c68e4
SHA1

59f7a2f88a8a3fc13f685672b72506b28ba1614e
SHA256

4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81
SHA512

367238cbdaadbfbe42e08da5596f44efb00844505b7a415a57fd3a2d969b8ca83ac4b6ab3c0a4f6c348d9fec0229baee760bb0798768325710a7e70a3f8a4612

Score

10^/10

remcos remrem102 evasion rat trojan

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

remrem102

C2

18.218.132.40:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
jre
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-QIKEGJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3720 set thread context of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1376	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3720	a603a8a69bbcd08f4899a605ab1c68e4.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 580	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	69
PID 3720 wrote to memory of 580	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	69
PID 3720 wrote to memory of 580	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	69
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 3720 wrote to memory of 396	3720	a603a8a69bbcd08f4899a605ab1c68e4.exe	70
PID 580 wrote to memory of 1376	580	cmd.exe	72
PID 580 wrote to memory of 1376	580	cmd.exe	72
PID 580 wrote to memory of 1376	580	cmd.exe	72

C:\Users\Admin\AppData\Local\Temp\a603a8a69bbcd08f4899a605ab1c68e4.exe
"C:\Users\Admin\AppData\Local\Temp\a603a8a69bbcd08f4899a605ab1c68e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:1376
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe
  2⤵
  PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-119-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/396-121-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/396-122-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/396-124-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing