remcos | b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58

General

Target

RFQ No. 01.300.TRGVH.exe
Size

802KB
MD5

ec36ba050f837fc4326c0efaa9835fc7
SHA1

7535e027bbe17595c0d7319d6f92614dab90609c
SHA256

b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
SHA512

eb92eb6c89b46ac85cf13ba513d585d2bea76a0af483dc06cc2e25a7fcd4d9b36d7f2e6058862adf9879c4b29a8a5ad52f1f09b180585fbeb6d0039516d5df7d
SSDEEP

24576:As1itqyShGglrNUYiQlPV8LfoTiKLFVQa88E:PnUJ8moTi8

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CMFPLR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 612	1720	RFQ No. 01.300.TRGVH.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1720	RFQ No. 01.300.TRGVH.exe
1720	RFQ No. 01.300.TRGVH.exe
1720	RFQ No. 01.300.TRGVH.exe
1720	RFQ No. 01.300.TRGVH.exe
1720	RFQ No. 01.300.TRGVH.exe
1720	RFQ No. 01.300.TRGVH.exe
1720	RFQ No. 01.300.TRGVH.exe
1200	powershell.exe
1784	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	RFQ No. 01.300.TRGVH.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
612	RFQ No. 01.300.TRGVH.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1200	1720	RFQ No. 01.300.TRGVH.exe	26
PID 1720 wrote to memory of 1200	1720	RFQ No. 01.300.TRGVH.exe	26
PID 1720 wrote to memory of 1200	1720	RFQ No. 01.300.TRGVH.exe	26
PID 1720 wrote to memory of 1200	1720	RFQ No. 01.300.TRGVH.exe	26
PID 1720 wrote to memory of 1784	1720	RFQ No. 01.300.TRGVH.exe	28
PID 1720 wrote to memory of 1784	1720	RFQ No. 01.300.TRGVH.exe	28
PID 1720 wrote to memory of 1784	1720	RFQ No. 01.300.TRGVH.exe	28
PID 1720 wrote to memory of 1784	1720	RFQ No. 01.300.TRGVH.exe	28
PID 1720 wrote to memory of 520	1720	RFQ No. 01.300.TRGVH.exe	30
PID 1720 wrote to memory of 520	1720	RFQ No. 01.300.TRGVH.exe	30
PID 1720 wrote to memory of 520	1720	RFQ No. 01.300.TRGVH.exe	30
PID 1720 wrote to memory of 520	1720	RFQ No. 01.300.TRGVH.exe	30
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32
PID 1720 wrote to memory of 612	1720	RFQ No. 01.300.TRGVH.exe	32

C:\Users\Admin\AppData\Local\Temp\RFQ No. 01.300.TRGVH.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ No. 01.300.TRGVH.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ No. 01.300.TRGVH.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kagBOPJAqcihqc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kagBOPJAqcihqc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B27.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:520
- C:\Users\Admin\AppData\Local\Temp\RFQ No. 01.300.TRGVH.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ No. 01.300.TRGVH.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2B27.tmp

Filesize
1KB

MD5
7d0b10e7e6d37f90d7ccbe244b819eba

SHA1
b60aa852a729e44a5fc0d633d2f5cd5fafc4bced

SHA256
8b2c1145c1130e0a2ed6a20167c81e60a90abeb136337aa854473d2e87db9eab

SHA512
ef3a1235ddf8854fe5be1ae23526978014771be5c76bb7e7026c9d0b96439540232c4821aab5fbfa4ede11fd0f1d80d87c61b0e58ae6cad66520326c5f4c85fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6ea10a6e5d1c42059d3bd61b93f5e681

SHA1
8c7ae52853c603f017cc266c314b8be8b81d3254

SHA256
7c5127127d2f7b2fdd3995d11a19e22bb23a4ad11c727bde5b5f16dcaba0d652

SHA512
5668e609c51b08ce38a731211ddc73f93defe5be09c4a0694cb587d8b46b5f8e720b418d940264ad0ccf4b47b796c46c6c2f30a25ea58281f213f465402513bc

Download Submit
memory/520-66-0x0000000000000000-mapping.dmp

Download
memory/612-84-0x00000000004327A4-mapping.dmp

Download
memory/612-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/612-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1200-89-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1200-63-0x0000000000000000-mapping.dmp

Download
memory/1200-91-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1720-70-0x00000000055C0000-0x000000000563C000-memory.dmp

Filesize
496KB

Download
memory/1720-61-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1720-59-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1720-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1720-54-0x0000000000AC0000-0x0000000000B8E000-memory.dmp

Filesize
824KB

Download
memory/1720-56-0x0000000004750000-0x0000000004810000-memory.dmp

Filesize
768KB

Download
memory/1720-58-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1720-62-0x0000000005780000-0x0000000005832000-memory.dmp

Filesize
712KB

Download
memory/1720-60-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1784-88-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-65-0x0000000000000000-mapping.dmp

Download
memory/1784-92-0x000000006C7D0000-0x000000006CD7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads