remcos | bbe26aa677d50f8ac1f37c0d7489a22284a84af8ae353e14a4765b8371d20665

General

Target

SECRHACIEN36590001 SECRHACIEN36590007.exe
Size

579KB
MD5

bc521cfe669b897e7adaf6439b91790e
SHA1

2dce5e832053ddb8f32ab8179aac830a12fe760a
SHA256

bbe26aa677d50f8ac1f37c0d7489a22284a84af8ae353e14a4765b8371d20665
SHA512

d5446fa1ec6cdca541245222e796064dbc9fba602861c78bbc3ecbcff19455987c29db19ba316cf2933295372c80374f14dc3adf802dd047d508a1946bef7cf7

Score

10^/10

remcos 11 rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

11

C2

pruebaonce83191.duckdns.org:1717

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-9IG8KM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

SECRHACIEN36590001 SECRHACIEN36590007.exe

description pid process target process

PID 1088 set thread context of 1816 1088 SECRHACIEN36590001 SECRHACIEN36590007.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

988 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SECRHACIEN36590001 SECRHACIEN36590007.exe

pid process

1088 SECRHACIEN36590001 SECRHACIEN36590007.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SECRHACIEN36590001 SECRHACIEN36590007.exe

description pid process

Token: SeDebugPrivilege 1088 SECRHACIEN36590001 SECRHACIEN36590007.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1816 RegSvcs.exe

description	pid	process	target process
PID 1088 set thread context of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe

pid	process
988	schtasks.exe

pid	process
1088	SECRHACIEN36590001 SECRHACIEN36590007.exe

description	pid	process
Token: SeDebugPrivilege	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe

pid	process
1816	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

SECRHACIEN36590001 SECRHACIEN36590007.exe

description	pid	process	target process
PID 1088 wrote to memory of 988	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	schtasks.exe
PID 1088 wrote to memory of 988	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	schtasks.exe
PID 1088 wrote to memory of 988	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	schtasks.exe
PID 1088 wrote to memory of 988	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	schtasks.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe
PID 1088 wrote to memory of 1816	1088	SECRHACIEN36590001 SECRHACIEN36590007.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SECRHACIEN36590001 SECRHACIEN36590007.exe
"C:\Users\Admin\AppData\Local\Temp\SECRHACIEN36590001 SECRHACIEN36590007.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uQRirl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FFD.tmp"
2⤵
- Creates scheduled task(s)
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3FFD.tmp
MD5
abd60b11c95700e8d83b35a7fb841bdc

SHA1
7b3cd83bd8e9f54c39e58dc278e0f36c4a168702

SHA256
4bfae601420e74ea2dfc68dc19edad2da6b511969714c30e2081d01fccdaaafd

SHA512
1116d3f00083bc328f7fca8bee33d16f765746e490857e3abb36237ef628cd11cb4faa1ab176522a10bfeea4b1845873c0207e873e740ed5d52b35693158ff14

Download Submit
memory/1088-54-0x00000000107C0000-0x0000000010856000-memory.dmp

Filesize
600KB

Download
memory/1088-55-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download
memory/1088-56-0x0000000002230000-0x0000000004360000-memory.dmp

Filesize
33.2MB

Download
memory/1088-57-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/1088-58-0x0000000005420000-0x0000000005494000-memory.dmp

Filesize
464KB

Download
memory/1088-59-0x0000000001E40000-0x0000000001E66000-memory.dmp

Filesize
152KB

Download
memory/1816-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1816-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1816-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1816-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1816-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1816-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1816-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1816-69-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1816-70-0x0000000000401000-0x0000000000421000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads