remcos | 13a01ab49ce46ef8c0b777be39442175acb0c2ff43f18430549a9927c991885b

General

Target

na.exe
Size

343KB
MD5

9125179a330454ca85b14de64a89faa6
SHA1

1965ecfcd7181d6936565ab1f73ec594ed4c71a2
SHA256

52360edd07bcd18738ccc44906897ece6c659883978d6ed61bd1e73dca205bd4
SHA512

6054701500d7247be4d365be2a8501ff4fc24c5b523e002a8aefec7e01f8434bc62fc59aaabce9e4438cf8dfc623531c988b255a087355b8e7b4e2bfe4361890

Score

10^/10

remcos .net agilenet persistence rat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

.NET

C2

noapology.myq-see.com:5149

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
app
keylog_path
%AppData%
mouse_option
false
mutex
remoteaccess-ERAX9A
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remoteaccess
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

632 remcos.exe
1504 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

656 cmd.exe

pid	process
632	remcos.exe
1504	remcos.exe

pid	process
656	cmd.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/908-55-0x0000000000320000-0x0000000000334000-memory.dmp	agile_net
behavioral1/memory/632-82-0x0000000000820000-0x0000000000834000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

na.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\	na.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\remoteaccess = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc\\remcos.exe\""	na.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\remoteaccess = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

na.exeremcos.exe

description pid process target process

PID 908 set thread context of 1940 908 na.exe na.exe
PID 632 set thread context of 1504 632 remcos.exe remcos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

na.exeremcos.exe

pid process

908 na.exe
908 na.exe
908 na.exe
632 remcos.exe
632 remcos.exe
632 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

na.exeremcos.exe

description pid process

Token: SeDebugPrivilege 908 na.exe
Token: SeDebugPrivilege 632 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1504 remcos.exe

description	pid	process	target process
PID 908 set thread context of 1940	908	na.exe	na.exe
PID 632 set thread context of 1504	632	remcos.exe	remcos.exe

pid	process
908	na.exe
908	na.exe
908	na.exe
632	remcos.exe
632	remcos.exe
632	remcos.exe

description	pid	process
Token: SeDebugPrivilege	908	na.exe
Token: SeDebugPrivilege	632	remcos.exe

pid	process
1504	remcos.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

na.exena.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 908 wrote to memory of 1940	908	na.exe	na.exe
PID 1940 wrote to memory of 1804	1940	na.exe	WScript.exe
PID 1940 wrote to memory of 1804	1940	na.exe	WScript.exe
PID 1940 wrote to memory of 1804	1940	na.exe	WScript.exe
PID 1940 wrote to memory of 1804	1940	na.exe	WScript.exe
PID 1804 wrote to memory of 656	1804	WScript.exe	cmd.exe
PID 1804 wrote to memory of 656	1804	WScript.exe	cmd.exe
PID 1804 wrote to memory of 656	1804	WScript.exe	cmd.exe
PID 1804 wrote to memory of 656	1804	WScript.exe	cmd.exe
PID 656 wrote to memory of 632	656	cmd.exe	remcos.exe
PID 656 wrote to memory of 632	656	cmd.exe	remcos.exe
PID 656 wrote to memory of 632	656	cmd.exe	remcos.exe
PID 656 wrote to memory of 632	656	cmd.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1504	632	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\na.exe
"C:\Users\Admin\AppData\Local\Temp\na.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\na.exe
"C:\Users\Admin\AppData\Local\Temp\na.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\vlc\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Roaming\vlc\remcos.exe
C:\Users\Admin\AppData\Roaming\vlc\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Roaming\vlc\remcos.exe
"C:\Users\Admin\AppData\Roaming\vlc\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
412B

MD5
e20de8eb17668cf226b9b5de03600f6b

SHA1
e649c077a6ef4579e7052c4b2df3fab2d979d531

SHA256
8371442d7bf0f75983623d8940d8f4b459785db0a17aa8806000d9363e4eeede

SHA512
9a22c687ce47c53a3d57dab8bdb362e0c814575027439d8fc2371a1f8a4cda0ae6dda362fdbc91d30a15acf98c5a095f8e4d962e4d7e1081adec536b2b8398f7

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\remcos.exe
Filesize
343KB

MD5
9125179a330454ca85b14de64a89faa6

SHA1
1965ecfcd7181d6936565ab1f73ec594ed4c71a2

SHA256
52360edd07bcd18738ccc44906897ece6c659883978d6ed61bd1e73dca205bd4

SHA512
6054701500d7247be4d365be2a8501ff4fc24c5b523e002a8aefec7e01f8434bc62fc59aaabce9e4438cf8dfc623531c988b255a087355b8e7b4e2bfe4361890

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\remcos.exe
Filesize
343KB

MD5
9125179a330454ca85b14de64a89faa6

SHA1
1965ecfcd7181d6936565ab1f73ec594ed4c71a2

SHA256
52360edd07bcd18738ccc44906897ece6c659883978d6ed61bd1e73dca205bd4

SHA512
6054701500d7247be4d365be2a8501ff4fc24c5b523e002a8aefec7e01f8434bc62fc59aaabce9e4438cf8dfc623531c988b255a087355b8e7b4e2bfe4361890

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\remcos.exe
Filesize
343KB

MD5
9125179a330454ca85b14de64a89faa6

SHA1
1965ecfcd7181d6936565ab1f73ec594ed4c71a2

SHA256
52360edd07bcd18738ccc44906897ece6c659883978d6ed61bd1e73dca205bd4

SHA512
6054701500d7247be4d365be2a8501ff4fc24c5b523e002a8aefec7e01f8434bc62fc59aaabce9e4438cf8dfc623531c988b255a087355b8e7b4e2bfe4361890

Download Submit
\Users\Admin\AppData\Roaming\vlc\remcos.exe
Filesize
343KB

MD5
9125179a330454ca85b14de64a89faa6

SHA1
1965ecfcd7181d6936565ab1f73ec594ed4c71a2

SHA256
52360edd07bcd18738ccc44906897ece6c659883978d6ed61bd1e73dca205bd4

SHA512
6054701500d7247be4d365be2a8501ff4fc24c5b523e002a8aefec7e01f8434bc62fc59aaabce9e4438cf8dfc623531c988b255a087355b8e7b4e2bfe4361890

Download Submit
memory/632-82-0x0000000000820000-0x0000000000834000-memory.dmp

Filesize
80KB

Download
memory/632-81-0x00000000010D0000-0x000000000112C000-memory.dmp

Filesize
368KB

Download
memory/632-79-0x0000000000000000-mapping.dmp

Download
memory/656-76-0x0000000000000000-mapping.dmp

Download
memory/908-54-0x0000000000E60000-0x0000000000EBC000-memory.dmp

Filesize
368KB

Download
memory/908-57-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/908-56-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/908-55-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/1504-98-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1504-93-0x0000000000413B74-mapping.dmp

Download
memory/1504-97-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1804-73-0x0000000000000000-mapping.dmp

Download
memory/1940-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-70-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download
memory/1940-68-0x0000000000413B74-mapping.dmp

Download
memory/1940-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1940-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads