remcos | 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d

General

Target

31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe
Size

448KB
MD5

4b1ae298f40f00471728ac6ce32d601d
SHA1

fc0dc529ace67350a5f94f231ee988d6af9f0539
SHA256

31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d
SHA512

42fad8dd08370b697dfde1eb6534876d2b18fd5ff5ce28f33d14a465a456430f99bb989682539ee62584e839e73a0a3a3be81ee479b5d3a82054d08f526960f6

Score

10^/10

remcos business rat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

BUSINESS

C2

anotherlevel.ddns.net:7213

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-L9741X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

description	pid	process	target process
PID 2196 set thread context of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

220 5072 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5112 schtasks.exe

pid	pid_target	process	target process
220	5072	WerFault.exe	vbc.exe

pid	process
5112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

pid	process
2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe
2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe
2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

description pid process

Token: SeDebugPrivilege 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

description	pid	process
Token: SeDebugPrivilege	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe

description	pid	process	target process
PID 2196 wrote to memory of 5112	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	schtasks.exe
PID 2196 wrote to memory of 5112	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	schtasks.exe
PID 2196 wrote to memory of 5112	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	schtasks.exe
PID 2196 wrote to memory of 4524	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 4524	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 4524	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe
PID 2196 wrote to memory of 5072	2196	31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe
"C:\Users\Admin\AppData\Local\Temp\31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DOGdvdFzLjUsb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp"
2⤵
- Creates scheduled task(s)
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 500
3⤵
- Program crash
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5072 -ip 5072
1⤵
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp
Filesize
1KB

MD5
bc2bd91093559e822433a1f7c9b721d5

SHA1
127886d013095d9692749a4c0453b2ef7fcd44ad

SHA256
7292374fdaaebb94364d3b986a0cba455d4a1c3c0c0e6fd8607791d17cc96564

SHA512
0ba47d4bd0e1161bd8e30df41d3102f5f81df375fa385d152aefd297f2fecbd1193d7b53c53689da70f1656b4542d29b4dd978e83d817d0afe7ced6f0535aebe

Download Submit
memory/2196-130-0x0000000000AB0000-0x0000000000B26000-memory.dmp

Filesize
472KB

Download
memory/2196-131-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/2196-132-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/2196-133-0x00000000054D0000-0x00000000054DA000-memory.dmp

Filesize
40KB

Download
memory/2196-134-0x0000000007EA0000-0x0000000007F3C000-memory.dmp

Filesize
624KB

Download
memory/4524-137-0x0000000000000000-mapping.dmp

Download
memory/5072-138-0x0000000000000000-mapping.dmp

Download
memory/5072-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5072-141-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5072-143-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5112-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads