remcos | 9640573998280900bbaab48ea85f674275d76b8bdde1642aa0c59898c6a79a21

General

Target

REMITTAN.exe
Size

224KB
MD5

03be770b4cd4a4290d56c7fda10b5b71
SHA1

a99ee0301a352ecd3255a64da62579d04d5bdad3
SHA256

6ea9da4ed018d0d17891bc301d0d42c637482f8ecdac6ebff94ac9dd41d5d7a3
SHA512

a434dc391e18f9c05faf8579ee5956eb7095bc10524b1a86896b3bdc59ee09254c7625376929d31bc6920b1e59bc2cce890590682a22d37e38d6122dafa90441

Score

10^/10

remcos panda evasion rat rezer0 trojan

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

Panda

C2

prantiexport.myq-see.com:3535

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chrorne.exe
copy_folder
chrorne
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NE3XLT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1200-58-0x0000000004160000-0x000000000418E000-memory.dmp	rezer0

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

REMITTAN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	REMITTAN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	REMITTAN.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

REMITTAN.exe

description pid process target process

PID 1200 set thread context of 1252 1200 REMITTAN.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1684 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeREMITTAN.exe

pid process

1160 powershell.exe
1200 REMITTAN.exe
1200 REMITTAN.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeREMITTAN.exe

description pid process

Token: SeDebugPrivilege 1160 powershell.exe
Token: SeDebugPrivilege 1200 REMITTAN.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1252 RegSvcs.exe

description	pid	process	target process
PID 1200 set thread context of 1252	1200	REMITTAN.exe	RegSvcs.exe

pid	process
1684	schtasks.exe

pid	process
1160	powershell.exe
1200	REMITTAN.exe
1200	REMITTAN.exe

description	pid	process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1200	REMITTAN.exe

pid	process
1252	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

REMITTAN.exe

description	pid	process	target process
PID 1200 wrote to memory of 1160	1200	REMITTAN.exe	powershell.exe
PID 1200 wrote to memory of 1160	1200	REMITTAN.exe	powershell.exe
PID 1200 wrote to memory of 1160	1200	REMITTAN.exe	powershell.exe
PID 1200 wrote to memory of 1160	1200	REMITTAN.exe	powershell.exe
PID 1200 wrote to memory of 1684	1200	REMITTAN.exe	schtasks.exe
PID 1200 wrote to memory of 1684	1200	REMITTAN.exe	schtasks.exe
PID 1200 wrote to memory of 1684	1200	REMITTAN.exe	schtasks.exe
PID 1200 wrote to memory of 1684	1200	REMITTAN.exe	schtasks.exe
PID 1200 wrote to memory of 760	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 760	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 760	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 760	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 760	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 760	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 760	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe
PID 1200 wrote to memory of 1252	1200	REMITTAN.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\REMITTAN.exe
"C:\Users\Admin\AppData\Local\Temp\REMITTAN.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pXSBxeXtBZsbJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE214.tmp"
2⤵
- Creates scheduled task(s)
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE214.tmp
MD5
a7805fc4bd9bb28047ba2d97c5d4b9b6

SHA1
c0286dccdd44cdd37db09869fce597baf0d65864

SHA256
30f7c36ccd9022228010fece1b63725af8f5e40b6f48df252fed438d00abbecb

SHA512
ed64fea51bad8ec374cc528d52eb1c7116858e5d110b07587eba1a7367a51bb4ad793fcb00d7b767c8a201f8df14af4b3547e77194d05d92f9a4d8f9adbb7be3

Download Submit
memory/1160-63-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download
memory/1160-65-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download
memory/1160-64-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download
memory/1200-58-0x0000000004160000-0x000000000418E000-memory.dmp

Filesize
184KB

Download
memory/1200-59-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/1200-54-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/1200-57-0x0000000000630000-0x000000000066E000-memory.dmp

Filesize
248KB

Download
memory/1200-56-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/1200-55-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1252-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-75-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1252-76-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads