remcos | 02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade

General

Target

02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
Size

612KB
MD5

faf84fc2be4d40feddf6856c3cf91483
SHA1

ede65d5360d7e47e190f7285e013a2d29490f8c5
SHA256

02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade
SHA512

e5ce499dade9c3c8cece4e87b694dc1473bad47071bd103a5b8a9b97d465bc01444c7d62d0542d0ccd662b8054a2885dd155fdf8d59019a02802daee31195468

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.105.236.179:1952

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-R7TDQD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

RemoteHost

C2

185.105.236.179:1952

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-R7TDQD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1868 remcos.exe
1336 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1448 cmd.exe

pid	process
1868	remcos.exe
1336	remcos.exe

pid	process
1448	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exeremcos.exe

description	pid	process	target process
PID 1648 set thread context of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1868 set thread context of 1336	1868	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1336 remcos.exe

pid	process
1336	remcos.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 1648 wrote to memory of 436	1648	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
PID 436 wrote to memory of 1532	436	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	WScript.exe
PID 436 wrote to memory of 1532	436	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	WScript.exe
PID 436 wrote to memory of 1532	436	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	WScript.exe
PID 436 wrote to memory of 1532	436	02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe	WScript.exe
PID 1532 wrote to memory of 1448	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1448	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1448	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1448	1532	WScript.exe	cmd.exe
PID 1448 wrote to memory of 1868	1448	cmd.exe	remcos.exe
PID 1448 wrote to memory of 1868	1448	cmd.exe	remcos.exe
PID 1448 wrote to memory of 1868	1448	cmd.exe	remcos.exe
PID 1448 wrote to memory of 1868	1448	cmd.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe
PID 1868 wrote to memory of 1336	1868	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
"C:\Users\Admin\AppData\Local\Temp\02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe
"C:\Users\Admin\AppData\Local\Temp\02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
faf84fc2be4d40feddf6856c3cf91483

SHA1
ede65d5360d7e47e190f7285e013a2d29490f8c5

SHA256
02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade

SHA512
e5ce499dade9c3c8cece4e87b694dc1473bad47071bd103a5b8a9b97d465bc01444c7d62d0542d0ccd662b8054a2885dd155fdf8d59019a02802daee31195468

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
faf84fc2be4d40feddf6856c3cf91483

SHA1
ede65d5360d7e47e190f7285e013a2d29490f8c5

SHA256
02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade

SHA512
e5ce499dade9c3c8cece4e87b694dc1473bad47071bd103a5b8a9b97d465bc01444c7d62d0542d0ccd662b8054a2885dd155fdf8d59019a02802daee31195468

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
faf84fc2be4d40feddf6856c3cf91483

SHA1
ede65d5360d7e47e190f7285e013a2d29490f8c5

SHA256
02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade

SHA512
e5ce499dade9c3c8cece4e87b694dc1473bad47071bd103a5b8a9b97d465bc01444c7d62d0542d0ccd662b8054a2885dd155fdf8d59019a02802daee31195468

Download Submit
\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
faf84fc2be4d40feddf6856c3cf91483

SHA1
ede65d5360d7e47e190f7285e013a2d29490f8c5

SHA256
02f2369b58fbb2ba1df2c799b73842880a4874c32c1514a0d8956133be026ade

SHA512
e5ce499dade9c3c8cece4e87b694dc1473bad47071bd103a5b8a9b97d465bc01444c7d62d0542d0ccd662b8054a2885dd155fdf8d59019a02802daee31195468

Download Submit
memory/436-59-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/436-56-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/436-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/436-61-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/436-63-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/436-67-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/436-72-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/436-60-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/436-58-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/436-57-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1336-89-0x0000000000400000-0x0000000000610000-memory.dmp

Filesize
2.1MB

Download
memory/1336-90-0x0000000000400000-0x0000000000610000-memory.dmp

Filesize
2.1MB

Download
memory/1648-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1648-55-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1868-79-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads