remcos | fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619

General

Target

3bc08e00ecef320c41b327060c3cbd2e.exe
Size

1.0MB
MD5

3bc08e00ecef320c41b327060c3cbd2e
SHA1

9806b730358b838eb355efb793b657ff2ecc570a
SHA256

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619
SHA512

d96d9385297541bac6e7833384ca54601061cc9425c4f7e57a0071796f1cf605110ee38839e9d93275986b000ee4a8e66ab7c1255c3e475ea96d3574c24b95e9

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

37.0.14.206:3352

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-SSCE3Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

1152 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

524 cmd.exe

pid	process
1152	remcos.exe

pid	process
524	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	MSBuild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\	MSBuild.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exe

description pid process target process

PID 1180 set thread context of 1120 1180 3bc08e00ecef320c41b327060c3cbd2e.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1592 schtasks.exe

description	pid	process	target process
PID 1180 set thread context of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe

pid	process
1592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exepowershell.exe

pid	process
1180	3bc08e00ecef320c41b327060c3cbd2e.exe
1180	3bc08e00ecef320c41b327060c3cbd2e.exe
1180	3bc08e00ecef320c41b327060c3cbd2e.exe
1180	3bc08e00ecef320c41b327060c3cbd2e.exe
948	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1180 3bc08e00ecef320c41b327060c3cbd2e.exe
Token: SeDebugPrivilege 948 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1180	3bc08e00ecef320c41b327060c3cbd2e.exe
Token: SeDebugPrivilege	948	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exeMSBuild.exeWScript.execmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 948	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	powershell.exe
PID 1180 wrote to memory of 948	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	powershell.exe
PID 1180 wrote to memory of 948	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	powershell.exe
PID 1180 wrote to memory of 948	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	powershell.exe
PID 1180 wrote to memory of 1592	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	schtasks.exe
PID 1180 wrote to memory of 1592	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	schtasks.exe
PID 1180 wrote to memory of 1592	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	schtasks.exe
PID 1180 wrote to memory of 1592	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	schtasks.exe
PID 1180 wrote to memory of 1692	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1692	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1692	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1692	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1180 wrote to memory of 1120	1180	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 1120 wrote to memory of 1484	1120	MSBuild.exe	WScript.exe
PID 1120 wrote to memory of 1484	1120	MSBuild.exe	WScript.exe
PID 1120 wrote to memory of 1484	1120	MSBuild.exe	WScript.exe
PID 1120 wrote to memory of 1484	1120	MSBuild.exe	WScript.exe
PID 1484 wrote to memory of 524	1484	WScript.exe	cmd.exe
PID 1484 wrote to memory of 524	1484	WScript.exe	cmd.exe
PID 1484 wrote to memory of 524	1484	WScript.exe	cmd.exe
PID 1484 wrote to memory of 524	1484	WScript.exe	cmd.exe
PID 524 wrote to memory of 1152	524	cmd.exe	remcos.exe
PID 524 wrote to memory of 1152	524	cmd.exe	remcos.exe
PID 524 wrote to memory of 1152	524	cmd.exe	remcos.exe
PID 524 wrote to memory of 1152	524	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\3bc08e00ecef320c41b327060c3cbd2e.exe
"C:\Users\Admin\AppData\Local\Temp\3bc08e00ecef320c41b327060c3cbd2e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xWKkbJbWKdl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xWKkbJbWKdl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp"
2⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524

C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:1152

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp
Filesize
1KB

MD5
1f2b274cbfe01b1f33ff718492b480f0

SHA1
00be4a207f59b36af967827263caeee7143139e0

SHA256
9b84f4280123452f8cfe602be4fbab3a161b95d39f7d079c6dfb119b0a605c15

SHA512
72bec8842e1c6dbcfb3e3f52204ed1edfe1637db548d4d70ee259f777744b22c0f4eed2189d0e8509fd4f438c30886705c0b1f5126324b494c1409800ea7fad2

Download Submit
\ProgramData\Remcos\remcos.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/524-87-0x0000000000000000-mapping.dmp

Download
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/948-86-0x000000006DDF0000-0x000000006E39B000-memory.dmp

Filesize
5.7MB

Download
memory/948-85-0x000000006DDF0000-0x000000006E39B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-71-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-74-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-67-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-69-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-70-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-64-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-72-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-65-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-77-0x000000000043168C-mapping.dmp

Download
memory/1120-76-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-80-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1120-82-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1152-90-0x0000000000000000-mapping.dmp

Download
memory/1152-92-0x0000000000890000-0x00000000008D0000-memory.dmp

Filesize
256KB

Download
memory/1180-58-0x0000000005EF0000-0x0000000005FB6000-memory.dmp

Filesize
792KB

Download
memory/1180-63-0x000000000A3A0000-0x000000000A41A000-memory.dmp

Filesize
488KB

Download
memory/1180-57-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/1180-56-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/1180-55-0x0000000075481000-0x0000000075483000-memory.dmp

Filesize
8KB

Download
memory/1180-54-0x0000000000C10000-0x0000000000D1E000-memory.dmp

Filesize
1.1MB

Download
memory/1484-81-0x0000000000000000-mapping.dmp

Download
memory/1592-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads