remcos | ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80

General

Target

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
Size

340KB
MD5

77e6c7f57c85396bcc9cb835a24107d1
SHA1

6a243d09ed09f339935577c746d0326c0dff2e38
SHA256

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80
SHA512

0f8203d8d710244728939b8b5ebc9053e3e0c3c1a9ba3de136fbf2dd8860ca74e277d067e13ccd2eca25ead0deeb782fd2b8ff345b2161ba4ee9720337348abd

Score

10^/10

remcos gold rat

Malware Config

Extracted

Family

remcos

Botnet

GOLD

C2

sub.thebest1jewels.waw.pl:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-TP8KCR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

GOLD

C2

sub.thebest1jewels.waw.pl:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-TP8KCR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe

description	pid	process	target process
PID 1836 set thread context of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1116 2768 WerFault.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3324 schtasks.exe

pid	pid_target	process	target process
1116	2768	WerFault.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe

pid	process
3324	schtasks.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe

description	pid	process	target process
PID 1836 wrote to memory of 3324	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	schtasks.exe
PID 1836 wrote to memory of 3324	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	schtasks.exe
PID 1836 wrote to memory of 3324	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	schtasks.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1836 wrote to memory of 2768	1836	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe

C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
"C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ooPeZfpRVlcO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBAA.tmp"
2⤵
- Creates scheduled task(s)
PID:3324

C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
"C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe"
2⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 500
3⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2768 -ip 2768
1⤵
PID:1972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBBAA.tmp
Filesize
1KB

MD5
7694e4380a8c5d67af550436fa859977

SHA1
497c0b3697a7238a320bd1d7394e8ac060745c0a

SHA256
46f2731ee546eb2bec477116a85be01c9e21cd92d3ede18c7da4f8ef1d67e2ba

SHA512
1a06fd092ee0783bc60233411c4220f6ab6ab64fc1c7d76dd0cc3cd6199acae4a7245735e203ec5e7f64c88dbb2474d7177afc13add6464798c8ad075cf2816f

Download Submit
memory/1836-132-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1836-133-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1836-147-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2768-136-0x0000000000000000-mapping.dmp

Download
memory/2768-138-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/2768-142-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/2768-146-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/3324-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads