remcos | 4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc

Analysis

max time kernel
153s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb80429c2ab3a4b98092d9681c83a0f.exe
Size

322KB
MD5

ebb80429c2ab3a4b98092d9681c83a0f
SHA1

ff42b517c77a1e7fd1e8c133cdc3702f455e2a2f
SHA256

4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc
SHA512

eef552e819bcf016662e3e5bdeeef7c6bba33d8f3d760fec397c464352590a4d7c3a63a1614dc8f5b80af5282b31e39eed512ea933866205c46c84f0675938c4
SSDEEP

6144:HNeZm2smfQ8gA3mXO5cOZuIpkgaB/uPLDmzxxznqJRMVYaWp2Oal0t8FqD:HNl3mfQq3/JX0QLDi/zsaaz

Score

10^/10

remcos test persistence rat upx

Malware Config

Extracted

Family

remcos

Botnet

test

91.192.100.20:7967

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TIHKWD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1480	mzzfe.exe
568	remcos.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1912-66-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/332-77-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/332-78-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
968	ebb80429c2ab3a4b98092d9681c83a0f.exe
1480	mzzfe.exe
1912	mzzfe.exe
1600	cmd.exe
332	remcos.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	mzzfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	mzzfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	mzzfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	mzzfe.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 1912	1480	mzzfe.exe	28
PID 568 set thread context of 332	568	remcos.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
332	remcos.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1480	968	ebb80429c2ab3a4b98092d9681c83a0f.exe	27
PID 968 wrote to memory of 1480	968	ebb80429c2ab3a4b98092d9681c83a0f.exe	27
PID 968 wrote to memory of 1480	968	ebb80429c2ab3a4b98092d9681c83a0f.exe	27
PID 968 wrote to memory of 1480	968	ebb80429c2ab3a4b98092d9681c83a0f.exe	27
PID 1480 wrote to memory of 1912	1480	mzzfe.exe	28
PID 1480 wrote to memory of 1912	1480	mzzfe.exe	28
PID 1480 wrote to memory of 1912	1480	mzzfe.exe	28
PID 1480 wrote to memory of 1912	1480	mzzfe.exe	28
PID 1480 wrote to memory of 1912	1480	mzzfe.exe	28
PID 1912 wrote to memory of 1344	1912	mzzfe.exe	29
PID 1912 wrote to memory of 1344	1912	mzzfe.exe	29
PID 1912 wrote to memory of 1344	1912	mzzfe.exe	29
PID 1912 wrote to memory of 1344	1912	mzzfe.exe	29
PID 1344 wrote to memory of 1600	1344	WScript.exe	30
PID 1344 wrote to memory of 1600	1344	WScript.exe	30
PID 1344 wrote to memory of 1600	1344	WScript.exe	30
PID 1344 wrote to memory of 1600	1344	WScript.exe	30
PID 1600 wrote to memory of 568	1600	cmd.exe	32
PID 1600 wrote to memory of 568	1600	cmd.exe	32
PID 1600 wrote to memory of 568	1600	cmd.exe	32
PID 1600 wrote to memory of 568	1600	cmd.exe	32
PID 568 wrote to memory of 332	568	remcos.exe	33
PID 568 wrote to memory of 332	568	remcos.exe	33
PID 568 wrote to memory of 332	568	remcos.exe	33
PID 568 wrote to memory of 332	568	remcos.exe	33
PID 568 wrote to memory of 332	568	remcos.exe	33

C:\Users\Admin\AppData\Local\Temp\ebb80429c2ab3a4b98092d9681c83a0f.exe
"C:\Users\Admin\AppData\Local\Temp\ebb80429c2ab3a4b98092d9681c83a0f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\mzzfe.exe
  "C:\Users\Admin\AppData\Local\Temp\mzzfe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\mzzfe.exe
    "C:\Users\Admin\AppData\Local\Temp\mzzfe.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzzfe.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzzfe.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzzfe.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqmbj.w

Filesize
228KB

MD5
518bf8c18e617f61c2d8e0b6513b925d

SHA1
f8fe4041612a0f7384df91cce98051ff3ef2094b

SHA256
e15bc33f04d3842be3ce2cba0d5d9bd27862d921f9ac6c1ba3404ffd45f5ebc0

SHA512
9613399290f518812c8d2e53154b8afc45509867dc34bdebd449031542b6132e7cc845238b33ebb925384b9f4528aef2e290e74e70a27303351aff0b5994d1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrxwuads.j

Filesize
4KB

MD5
46b2ce2aa4b00ab70940ab9b19942a5e

SHA1
10c9ae4c1f1c1fe6ed639a86e7259bf4a8cd361f

SHA256
d4185b2719d6ac863275066c26baeedee49b426c7787a44be9af4f44d31f17e3

SHA512
bb4003bb3b1ad26c35d7b3846de201e98ea2eb81791fe520601b64db54bb00de385c74dc4fca227a331e20179d1f14c012a3e742a0a887c6bdb4e0e106dcb158

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
\Users\Admin\AppData\Local\Temp\mzzfe.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
\Users\Admin\AppData\Local\Temp\mzzfe.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
memory/332-77-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/332-78-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/968-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1912-66-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download