remcos | 1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f

General

Target

1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
Size

893KB
MD5

e62c6746f84f89027d8924786fbe3280
SHA1

1b5c55ebe31f1588d0d677e81d68bb11a48be894
SHA256

1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f
SHA512

4233989e6594ab17d20d2d9b7397552e652028ab99b081fde885067904d0e949e564a5d9131dcd5a4b2a2cc3573437047dc29d0bfb385e88b8685f203001cb99
SSDEEP

12288:qBtwEru0VeNlhjfdF+/gKzfYIPI/Lj9tjAYpGo9pIt+9Hc+S2VLgxVQFt9M6sDPE:qNolhRczxILj3AVoIF2h+Cnbs7E

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.1.0 Pro

Botnet

RemoteHost

C2

berryttttiere.duckdns.org:6553

asddskfjjer.duckdns.org:6553

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-Q3VG56
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1008 remcos.exe
1252 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1072 cmd.exe

pid	process
1008	remcos.exe
1252	remcos.exe

pid	process
1072	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exeremcos.exe

description	pid	process	target process
PID 896 set thread context of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 1008 set thread context of 1252	1008	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

840 schtasks.exe
816 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1252 remcos.exe

pid	process
840	schtasks.exe
816	schtasks.exe

pid	process
1252	remcos.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 896 wrote to memory of 840	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	schtasks.exe
PID 896 wrote to memory of 840	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	schtasks.exe
PID 896 wrote to memory of 840	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	schtasks.exe
PID 896 wrote to memory of 840	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	schtasks.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 896 wrote to memory of 1284	896	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
PID 1284 wrote to memory of 700	1284	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	WScript.exe
PID 1284 wrote to memory of 700	1284	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	WScript.exe
PID 1284 wrote to memory of 700	1284	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	WScript.exe
PID 1284 wrote to memory of 700	1284	1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe	WScript.exe
PID 700 wrote to memory of 1072	700	WScript.exe	cmd.exe
PID 700 wrote to memory of 1072	700	WScript.exe	cmd.exe
PID 700 wrote to memory of 1072	700	WScript.exe	cmd.exe
PID 700 wrote to memory of 1072	700	WScript.exe	cmd.exe
PID 1072 wrote to memory of 1008	1072	cmd.exe	remcos.exe
PID 1072 wrote to memory of 1008	1072	cmd.exe	remcos.exe
PID 1072 wrote to memory of 1008	1072	cmd.exe	remcos.exe
PID 1072 wrote to memory of 1008	1072	cmd.exe	remcos.exe
PID 1008 wrote to memory of 816	1008	remcos.exe	schtasks.exe
PID 1008 wrote to memory of 816	1008	remcos.exe	schtasks.exe
PID 1008 wrote to memory of 816	1008	remcos.exe	schtasks.exe
PID 1008 wrote to memory of 816	1008	remcos.exe	schtasks.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1008 wrote to memory of 1252	1008	remcos.exe	remcos.exe
PID 1252 wrote to memory of 924	1252	remcos.exe	svchost.exe
PID 1252 wrote to memory of 924	1252	remcos.exe	svchost.exe
PID 1252 wrote to memory of 924	1252	remcos.exe	svchost.exe
PID 1252 wrote to memory of 924	1252	remcos.exe	svchost.exe
PID 1252 wrote to memory of 924	1252	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
"C:\Users\Admin\AppData\Local\Temp\1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wOqvUC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFDC0.tmp"
2⤵
- Creates scheduled task(s)
PID:840

C:\Users\Admin\AppData\Local\Temp\1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wOqvUC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB904.tmp"
6⤵
- Creates scheduled task(s)
PID:816

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB904.tmp

Filesize
1KB

MD5
87236de8ae51d05fd90fe89fe7cc8dd2

SHA1
f80f46a1ada8c499a7a325bf4164e2c802b25976

SHA256
ab583c4cc17d81d1e94e21d5db116ccb6529153111dd9d75059c38b586634a2c

SHA512
dae56cb8d34865abad73801f1b1a6fd14a0183e9eecc40dbe55e1c93ce81858ecab6133053c286a2b15ccbcce0b7470ca1b444e0a96a5fdd25073600e776f9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFDC0.tmp

Filesize
1KB

MD5
87236de8ae51d05fd90fe89fe7cc8dd2

SHA1
f80f46a1ada8c499a7a325bf4164e2c802b25976

SHA256
ab583c4cc17d81d1e94e21d5db116ccb6529153111dd9d75059c38b586634a2c

SHA512
dae56cb8d34865abad73801f1b1a6fd14a0183e9eecc40dbe55e1c93ce81858ecab6133053c286a2b15ccbcce0b7470ca1b444e0a96a5fdd25073600e776f9ab

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Filesize
893KB

MD5
e62c6746f84f89027d8924786fbe3280

SHA1
1b5c55ebe31f1588d0d677e81d68bb11a48be894

SHA256
1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f

SHA512
4233989e6594ab17d20d2d9b7397552e652028ab99b081fde885067904d0e949e564a5d9131dcd5a4b2a2cc3573437047dc29d0bfb385e88b8685f203001cb99

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Filesize
893KB

MD5
e62c6746f84f89027d8924786fbe3280

SHA1
1b5c55ebe31f1588d0d677e81d68bb11a48be894

SHA256
1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f

SHA512
4233989e6594ab17d20d2d9b7397552e652028ab99b081fde885067904d0e949e564a5d9131dcd5a4b2a2cc3573437047dc29d0bfb385e88b8685f203001cb99

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Filesize
893KB

MD5
e62c6746f84f89027d8924786fbe3280

SHA1
1b5c55ebe31f1588d0d677e81d68bb11a48be894

SHA256
1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f

SHA512
4233989e6594ab17d20d2d9b7397552e652028ab99b081fde885067904d0e949e564a5d9131dcd5a4b2a2cc3573437047dc29d0bfb385e88b8685f203001cb99

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Filesize
893KB

MD5
e62c6746f84f89027d8924786fbe3280

SHA1
1b5c55ebe31f1588d0d677e81d68bb11a48be894

SHA256
1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f

SHA512
4233989e6594ab17d20d2d9b7397552e652028ab99b081fde885067904d0e949e564a5d9131dcd5a4b2a2cc3573437047dc29d0bfb385e88b8685f203001cb99

Download Submit
memory/700-77-0x0000000000000000-mapping.dmp

Download
memory/816-89-0x0000000000000000-mapping.dmp

Download
memory/840-58-0x0000000000000000-mapping.dmp

Download
memory/896-54-0x00000000013C0000-0x00000000014A6000-memory.dmp

Filesize
920KB

Download
memory/896-57-0x0000000005E40000-0x0000000005F10000-memory.dmp

Filesize
832KB

Download
memory/896-56-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/896-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/924-109-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/924-110-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1008-84-0x0000000000000000-mapping.dmp

Download
memory/1008-88-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1008-86-0x0000000000C50000-0x0000000000D36000-memory.dmp

Filesize
920KB

Download
memory/1072-81-0x0000000000000000-mapping.dmp

Download
memory/1252-113-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1252-104-0x000000000042EDDB-mapping.dmp

Download
memory/1252-108-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1252-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-78-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-76-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-73-0x000000000042EDDB-mapping.dmp

Download
memory/1284-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1284-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads