remcos | fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619

General

Target

3bc08e00ecef320c41b327060c3cbd2e.exe
Size

1.0MB
MD5

3bc08e00ecef320c41b327060c3cbd2e
SHA1

9806b730358b838eb355efb793b657ff2ecc570a
SHA256

fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619
SHA512

d96d9385297541bac6e7833384ca54601061cc9425c4f7e57a0071796f1cf605110ee38839e9d93275986b000ee4a8e66ab7c1255c3e475ea96d3574c24b95e9

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

37.0.14.206:3352

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-SSCE3Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

1956 remcos.exe

pid	process
1956	remcos.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	3bc08e00ecef320c41b327060c3cbd2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run\	MSBuild.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	MSBuild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exe

description pid process target process

PID 872 set thread context of 216 872 3bc08e00ecef320c41b327060c3cbd2e.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1044 schtasks.exe
Modifies registry class 1 IoCs

Processes:

MSBuild.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings MSBuild.exe

description	pid	process	target process
PID 872 set thread context of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe

pid	process
1044	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exepowershell.exe

pid	process
872	3bc08e00ecef320c41b327060c3cbd2e.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
3768	powershell.exe
872	3bc08e00ecef320c41b327060c3cbd2e.exe
3768	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exepowershell.exe

description pid process

Token: SeDebugPrivilege 872 3bc08e00ecef320c41b327060c3cbd2e.exe
Token: SeDebugPrivilege 3768 powershell.exe

description	pid	process
Token: SeDebugPrivilege	872	3bc08e00ecef320c41b327060c3cbd2e.exe
Token: SeDebugPrivilege	3768	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

3bc08e00ecef320c41b327060c3cbd2e.exeMSBuild.exeWScript.execmd.exe

description	pid	process	target process
PID 872 wrote to memory of 3768	872	3bc08e00ecef320c41b327060c3cbd2e.exe	powershell.exe
PID 872 wrote to memory of 3768	872	3bc08e00ecef320c41b327060c3cbd2e.exe	powershell.exe
PID 872 wrote to memory of 3768	872	3bc08e00ecef320c41b327060c3cbd2e.exe	powershell.exe
PID 872 wrote to memory of 1044	872	3bc08e00ecef320c41b327060c3cbd2e.exe	schtasks.exe
PID 872 wrote to memory of 1044	872	3bc08e00ecef320c41b327060c3cbd2e.exe	schtasks.exe
PID 872 wrote to memory of 1044	872	3bc08e00ecef320c41b327060c3cbd2e.exe	schtasks.exe
PID 872 wrote to memory of 1800	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 1800	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 1800	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 3396	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 3396	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 3396	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 204	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 204	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 204	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 872 wrote to memory of 216	872	3bc08e00ecef320c41b327060c3cbd2e.exe	MSBuild.exe
PID 216 wrote to memory of 2468	216	MSBuild.exe	WScript.exe
PID 216 wrote to memory of 2468	216	MSBuild.exe	WScript.exe
PID 216 wrote to memory of 2468	216	MSBuild.exe	WScript.exe
PID 2468 wrote to memory of 1436	2468	WScript.exe	cmd.exe
PID 2468 wrote to memory of 1436	2468	WScript.exe	cmd.exe
PID 2468 wrote to memory of 1436	2468	WScript.exe	cmd.exe
PID 1436 wrote to memory of 1956	1436	cmd.exe	remcos.exe
PID 1436 wrote to memory of 1956	1436	cmd.exe	remcos.exe
PID 1436 wrote to memory of 1956	1436	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\3bc08e00ecef320c41b327060c3cbd2e.exe
"C:\Users\Admin\AppData\Local\Temp\3bc08e00ecef320c41b327060c3cbd2e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xWKkbJbWKdl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xWKkbJbWKdl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE441.tmp"
2⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:3396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:1956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE441.tmp
Filesize
1KB

MD5
e706c2509071e368753dc6ec015ac7ca

SHA1
b6aab09223e48cc02f8e898ea00cec795b1099c6

SHA256
54a9dd437b0278a844821968433f06019cac1a87e29260af4b16ccda6735714c

SHA512
633a991aaeb5763507019c279c02db4d7ff96cdfe9296a62942b93955e927b2f525909da38a7a80534eb567a0ef98c767a4ea884f18492b33277e581dfa595fe

Download Submit
memory/204-145-0x0000000000000000-mapping.dmp

Download
memory/216-150-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/216-154-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/216-152-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/216-146-0x0000000000000000-mapping.dmp

Download
memory/216-147-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/216-148-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/872-132-0x0000000000150000-0x000000000025E000-memory.dmp

Filesize
1.1MB

Download
memory/872-133-0x0000000005140000-0x00000000056E4000-memory.dmp

Filesize
5.6MB

Download
memory/872-137-0x000000000B4E0000-0x000000000B546000-memory.dmp

Filesize
408KB

Download
memory/872-136-0x000000000B240000-0x000000000B2DC000-memory.dmp

Filesize
624KB

Download
memory/872-135-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/872-134-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/1044-139-0x0000000000000000-mapping.dmp

Download
memory/1436-157-0x0000000000000000-mapping.dmp

Download
memory/1800-143-0x0000000000000000-mapping.dmp

Download
memory/1956-158-0x0000000000000000-mapping.dmp

Download
memory/1956-163-0x0000000004DF0000-0x0000000004F4A000-memory.dmp

Filesize
1.4MB

Download
memory/1956-161-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/1956-162-0x0000000004C70000-0x0000000004C8A000-memory.dmp

Filesize
104KB

Download
memory/2468-153-0x0000000000000000-mapping.dmp

Download
memory/3396-144-0x0000000000000000-mapping.dmp

Download
memory/3768-165-0x0000000072550000-0x000000007259C000-memory.dmp

Filesize
304KB

Download
memory/3768-164-0x0000000005F80000-0x0000000005FB2000-memory.dmp

Filesize
200KB

Download
memory/3768-151-0x0000000004A80000-0x0000000004AE6000-memory.dmp

Filesize
408KB

Download
memory/3768-142-0x0000000004B20000-0x0000000005148000-memory.dmp

Filesize
6.2MB

Download
memory/3768-166-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/3768-138-0x0000000000000000-mapping.dmp

Download
memory/3768-149-0x00000000048E0000-0x0000000004902000-memory.dmp

Filesize
136KB

Download
memory/3768-156-0x00000000059C0000-0x00000000059DE000-memory.dmp

Filesize
120KB

Download
memory/3768-140-0x00000000043E0000-0x0000000004416000-memory.dmp

Filesize
216KB

Download
memory/3768-167-0x0000000007310000-0x000000000798A000-memory.dmp

Filesize
6.5MB

Download
memory/3768-168-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

Filesize
104KB

Download
memory/3768-169-0x0000000006D30000-0x0000000006D3A000-memory.dmp

Filesize
40KB

Download
memory/3768-170-0x0000000006F40000-0x0000000006FD6000-memory.dmp

Filesize
600KB

Download
memory/3768-171-0x0000000006F00000-0x0000000006F0E000-memory.dmp

Filesize
56KB

Download
memory/3768-172-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/3768-173-0x0000000006FF0000-0x0000000006FF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads