remcos | fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619

General

Target

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe
Size

1.0MB
MD5

3bc08e00ecef320c41b327060c3cbd2e
SHA1

9806b730358b838eb355efb793b657ff2ecc570a
SHA256

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619
SHA512

d96d9385297541bac6e7833384ca54601061cc9425c4f7e57a0071796f1cf605110ee38839e9d93275986b000ee4a8e66ab7c1255c3e475ea96d3574c24b95e9

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

37.0.14.206:3352

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-SSCE3Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

4080 remcos.exe

pid	process
4080	remcos.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	MSBuild.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe

description	pid	process	target process
PID 3372 set thread context of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4588 schtasks.exe
Modifies registry class 1 IoCs

Processes:

MSBuild.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings MSBuild.exe

pid	process
4588	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exepowershell.exe

pid	process
3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe
4772	powershell.exe
3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe
4772	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe
Token: SeDebugPrivilege	4772	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exeMSBuild.exeWScript.execmd.exe

description	pid	process	target process
PID 3372 wrote to memory of 4772	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	powershell.exe
PID 3372 wrote to memory of 4772	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	powershell.exe
PID 3372 wrote to memory of 4772	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	powershell.exe
PID 3372 wrote to memory of 4588	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	schtasks.exe
PID 3372 wrote to memory of 4588	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	schtasks.exe
PID 3372 wrote to memory of 4588	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	schtasks.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 3372 wrote to memory of 2832	3372	fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe	MSBuild.exe
PID 2832 wrote to memory of 1540	2832	MSBuild.exe	WScript.exe
PID 2832 wrote to memory of 1540	2832	MSBuild.exe	WScript.exe
PID 2832 wrote to memory of 1540	2832	MSBuild.exe	WScript.exe
PID 1540 wrote to memory of 3860	1540	WScript.exe	cmd.exe
PID 1540 wrote to memory of 3860	1540	WScript.exe	cmd.exe
PID 1540 wrote to memory of 3860	1540	WScript.exe	cmd.exe
PID 3860 wrote to memory of 4080	3860	cmd.exe	remcos.exe
PID 3860 wrote to memory of 4080	3860	cmd.exe	remcos.exe
PID 3860 wrote to memory of 4080	3860	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe
"C:\Users\Admin\AppData\Local\Temp\fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xWKkbJbWKdl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xWKkbJbWKdl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9EA1.tmp"
2⤵
- Creates scheduled task(s)
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9EA1.tmp
Filesize
1KB

MD5
ec674f890d61dc241828d1f4c03158aa

SHA1
92d9eeb542182cf5d657977d63183c09847df3b6

SHA256
2d7af93f1c26366dc6db661326c6fcc58f170d862123f9cb0a54d00cc4734e3c

SHA512
708221e5faa290fb4a88cdc02e0c0664116544902b8c8f63cc713212f0609e8ffb5a02ec6e9e6a1ea1ec3652a72029a6a293c267c68d5afd421aea424bc6843b

Download Submit
memory/1540-147-0x0000000000000000-mapping.dmp

Download
memory/2832-148-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2832-142-0x0000000000000000-mapping.dmp

Download
memory/2832-144-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2832-145-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2832-146-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3372-134-0x000000000BA20000-0x000000000BABC000-memory.dmp

Filesize
624KB

Download
memory/3372-131-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/3372-132-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/3372-135-0x000000000BD80000-0x000000000BDE6000-memory.dmp

Filesize
408KB

Download
memory/3372-133-0x0000000005FF0000-0x0000000005FFA000-memory.dmp

Filesize
40KB

Download
memory/3372-130-0x00000000009A0000-0x0000000000AAE000-memory.dmp

Filesize
1.1MB

Download
memory/3860-151-0x0000000000000000-mapping.dmp

Download
memory/4080-152-0x0000000000000000-mapping.dmp

Download
memory/4080-157-0x0000000005280000-0x00000000053DA000-memory.dmp

Filesize
1.4MB

Download
memory/4080-156-0x0000000004FA0000-0x0000000004FBA000-memory.dmp

Filesize
104KB

Download
memory/4080-155-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/4588-137-0x0000000000000000-mapping.dmp

Download
memory/4772-158-0x0000000007810000-0x0000000007842000-memory.dmp

Filesize
200KB

Download
memory/4772-159-0x0000000075AB0000-0x0000000075AFC000-memory.dmp

Filesize
304KB

Download
memory/4772-136-0x0000000000000000-mapping.dmp

Download
memory/4772-140-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/4772-141-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/4772-149-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/4772-143-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4772-138-0x0000000002F30000-0x0000000002F66000-memory.dmp

Filesize
216KB

Download
memory/4772-160-0x0000000006E00000-0x0000000006E1E000-memory.dmp

Filesize
120KB

Download
memory/4772-161-0x0000000008190000-0x000000000880A000-memory.dmp

Filesize
6.5MB

Download
memory/4772-162-0x0000000007B40000-0x0000000007B5A000-memory.dmp

Filesize
104KB

Download
memory/4772-163-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

Filesize
40KB

Download
memory/4772-164-0x0000000007DC0000-0x0000000007E56000-memory.dmp

Filesize
600KB

Download
memory/4772-165-0x0000000007D70000-0x0000000007D7E000-memory.dmp

Filesize
56KB

Download
memory/4772-166-0x0000000007E80000-0x0000000007E9A000-memory.dmp

Filesize
104KB

Download
memory/4772-167-0x0000000007E60000-0x0000000007E68000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads