remcos | f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d

General

Target

RFQ 2290.exe
Size

1.3MB
MD5

85e8ae98556d7927fa40c5cba4e4a16a
SHA1

3013724dbc0bedda4bc2528ba01c7495f26614b1
SHA256

f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d
SHA512

25e6158d69a61945d1513d0a12ffe1d1178a5c9e2ffeb032791b2dadc294d4f1e6b4d73242183b1ce0059e7421c9a9eea62cca6a3683002ee841e42cedce9969
SSDEEP

24576:WqHo1sfbYnNTHIsxcb5V9zpn8jte3q/3uASeA8vOE/dkJw1:WqIafENUkcb5rpn8Y3q/eAYU

Score

10^/10

remcos new rem stub evasion rat

Malware Config

Extracted

Family

remcos

Botnet

NEW REM STUB

C2

valvesco.duckdns.org:5050

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-48V73L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

RFQ 2290.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions RFQ 2290.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

RFQ 2290.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools RFQ 2290.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	RFQ 2290.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	RFQ 2290.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ 2290.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RFQ 2290.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RFQ 2290.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RFQ 2290.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RFQ 2290.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	RFQ 2290.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ 2290.exe

description pid process target process

PID 1056 set thread context of 1148 1056 RFQ 2290.exe RFQ 2290.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

540 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RFQ 2290.exepowershell.exepowershell.exe

pid process

1056 RFQ 2290.exe
1056 RFQ 2290.exe
320 powershell.exe
1444 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ 2290.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1056 RFQ 2290.exe
Token: SeDebugPrivilege 320 powershell.exe
Token: SeDebugPrivilege 1444 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RFQ 2290.exe

pid process

1148 RFQ 2290.exe

description	pid	process	target process
PID 1056 set thread context of 1148	1056	RFQ 2290.exe	RFQ 2290.exe

pid	process
540	schtasks.exe

pid	process
1056	RFQ 2290.exe
1056	RFQ 2290.exe
320	powershell.exe
1444	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1056	RFQ 2290.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe

pid	process
1148	RFQ 2290.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

RFQ 2290.exe

description	pid	process	target process
PID 1056 wrote to memory of 320	1056	RFQ 2290.exe	powershell.exe
PID 1056 wrote to memory of 320	1056	RFQ 2290.exe	powershell.exe
PID 1056 wrote to memory of 320	1056	RFQ 2290.exe	powershell.exe
PID 1056 wrote to memory of 320	1056	RFQ 2290.exe	powershell.exe
PID 1056 wrote to memory of 1444	1056	RFQ 2290.exe	powershell.exe
PID 1056 wrote to memory of 1444	1056	RFQ 2290.exe	powershell.exe
PID 1056 wrote to memory of 1444	1056	RFQ 2290.exe	powershell.exe
PID 1056 wrote to memory of 1444	1056	RFQ 2290.exe	powershell.exe
PID 1056 wrote to memory of 540	1056	RFQ 2290.exe	schtasks.exe
PID 1056 wrote to memory of 540	1056	RFQ 2290.exe	schtasks.exe
PID 1056 wrote to memory of 540	1056	RFQ 2290.exe	schtasks.exe
PID 1056 wrote to memory of 540	1056	RFQ 2290.exe	schtasks.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe
PID 1056 wrote to memory of 1148	1056	RFQ 2290.exe	RFQ 2290.exe

C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iDKZenUzizmrGT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDKZenUzizmrGT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp"
2⤵
- Creates scheduled task(s)
PID:540

C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp
Filesize
1KB

MD5
b12843f75ff19d128f5e075cc6206a4f

SHA1
f14ddbd34478e65d8012b2e3c69bc47c7e65a636

SHA256
83481a3662bb3e5bc731d9f289eacf5d78a7e7f893d1e02e3ddde8cf38c5fb47

SHA512
3eb9b95928577ecbff7b34f8a1e73deecd21490af6df8a3dd4e3e0e9940d41bd81a11ec881df105c02b1a498de3fb4d5addf8fbb659e59d5a3c9e5ba644bc797

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
57787efe8d9108c8b1c9388202ff6754

SHA1
96346007d4fdbe375aab48b96ee4e682ffef3207

SHA256
10275b10a249365182c702882fb8fb38bca78a409cbf1cfd1d33255c85454e83

SHA512
8d777a045a99ce77d2044f8f7da3c0410971053e04800c4871f0ea51ed3e576ed106ac66d04cf13ced790385b3213434395d36ac8ea63706d80a75a03f7f9adf

Download Submit
memory/320-59-0x0000000000000000-mapping.dmp

Download
memory/320-87-0x000000006F930000-0x000000006FEDB000-memory.dmp

Filesize
5.7MB

Download
memory/320-84-0x000000006F930000-0x000000006FEDB000-memory.dmp

Filesize
5.7MB

Download
memory/540-62-0x0000000000000000-mapping.dmp

Download
memory/1056-54-0x0000000000940000-0x0000000000A98000-memory.dmp

Filesize
1.3MB

Download
memory/1056-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1056-56-0x0000000000470000-0x0000000000484000-memory.dmp

Filesize
80KB

Download
memory/1056-57-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1056-58-0x0000000008090000-0x000000000819E000-memory.dmp

Filesize
1.1MB

Download
memory/1056-66-0x0000000008AC0000-0x0000000008B7C000-memory.dmp

Filesize
752KB

Download
memory/1148-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-80-0x00000000004327A4-mapping.dmp

Download
memory/1148-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1148-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1444-61-0x0000000000000000-mapping.dmp

Download
memory/1444-88-0x000000006F930000-0x000000006FEDB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-85-0x000000006F930000-0x000000006FEDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads