remcos | 97ca5f27f01eb1699c1b2a6acf86329f1c12846706c5aee213e337853754e2a8

Analysis

max time kernel
600s
max time network
604s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CONTRACT.exe
Size

444KB
MD5

8bff446184b5ab123684c62895414df0
SHA1

c08002db93295dc774137fb8b64e25982bb813b0
SHA256

38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba
SHA512

232757030b2f0a4498cda94bd5b4215193396fb5e705df36391c54b713104eec629ff54f10778e2f7e3958b01194e4bbe2f5b63200469d01b92448eeb2599809
SSDEEP

12288:VAC+Qu5ylAM8kCR7GIwhg9ZRHmWE485yHv/8YM1jk:WCTlAMiR6IfXm3WMZo

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

drremcoz1.ddns.net:1307

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FADJRF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

pxsvrjfkc.exepxsvrjfkc.exe

pid process

4120 pxsvrjfkc.exe
4980 pxsvrjfkc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pxsvrjfkc.exe

description pid process target process

PID 4120 set thread context of 4980 4120 pxsvrjfkc.exe pxsvrjfkc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pxsvrjfkc.exe

pid process

4120 pxsvrjfkc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

pxsvrjfkc.exe

pid process

4980 pxsvrjfkc.exe

pid	process
4120	pxsvrjfkc.exe
4980	pxsvrjfkc.exe

description	pid	process	target process
PID 4120 set thread context of 4980	4120	pxsvrjfkc.exe	pxsvrjfkc.exe

pid	process
4120	pxsvrjfkc.exe

pid	process
4980	pxsvrjfkc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

CONTRACT.exepxsvrjfkc.exe

description	pid	process	target process
PID 2420 wrote to memory of 4120	2420	CONTRACT.exe	pxsvrjfkc.exe
PID 2420 wrote to memory of 4120	2420	CONTRACT.exe	pxsvrjfkc.exe
PID 2420 wrote to memory of 4120	2420	CONTRACT.exe	pxsvrjfkc.exe
PID 4120 wrote to memory of 4980	4120	pxsvrjfkc.exe	pxsvrjfkc.exe
PID 4120 wrote to memory of 4980	4120	pxsvrjfkc.exe	pxsvrjfkc.exe
PID 4120 wrote to memory of 4980	4120	pxsvrjfkc.exe	pxsvrjfkc.exe
PID 4120 wrote to memory of 4980	4120	pxsvrjfkc.exe	pxsvrjfkc.exe

C:\Users\Admin\AppData\Local\Temp\CONTRACT.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe
"C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe" C:\Users\Admin\AppData\Local\Temp\thoga.wi
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe
"C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oegcns.foz
Filesize
469KB

MD5
de8044726c585f4741e6db78c08cdfc8

SHA1
b773dea447ef2c7a70ab5eb02cdbf34f03927ea1

SHA256
1c97a6c00f9635d38681572fd4c9fc68a9e71b6170b05b50fed64eea9346c89b

SHA512
72d26e195a7f615d33712a0ebcdae32f797120bbe27fecefebcec6726c6797836af50dce44ff7cb4d580df2e124db4cc8ebe273453fc5bea8af62f6372a22b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe
Filesize
12KB

MD5
3e04e586c99713a446fb9fc183867eb2

SHA1
1366d02cfce19379ff6c878f13fe47e1dde8d246

SHA256
591de4e14c50bb35c5017f59f51d7a418fa89e030f414d903f35413b1fac1f5b

SHA512
6e4b84aa46eadc910b91496b4a7b8fe64777c892a1cf748d450a7536dbd1a25e13a6448550849f71d7c0596e9bf9d0315c833ce444efd780c490491e41a897c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe
Filesize
12KB

MD5
3e04e586c99713a446fb9fc183867eb2

SHA1
1366d02cfce19379ff6c878f13fe47e1dde8d246

SHA256
591de4e14c50bb35c5017f59f51d7a418fa89e030f414d903f35413b1fac1f5b

SHA512
6e4b84aa46eadc910b91496b4a7b8fe64777c892a1cf748d450a7536dbd1a25e13a6448550849f71d7c0596e9bf9d0315c833ce444efd780c490491e41a897c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe
Filesize
12KB

MD5
3e04e586c99713a446fb9fc183867eb2

SHA1
1366d02cfce19379ff6c878f13fe47e1dde8d246

SHA256
591de4e14c50bb35c5017f59f51d7a418fa89e030f414d903f35413b1fac1f5b

SHA512
6e4b84aa46eadc910b91496b4a7b8fe64777c892a1cf748d450a7536dbd1a25e13a6448550849f71d7c0596e9bf9d0315c833ce444efd780c490491e41a897c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\thoga.wi
Filesize
5KB

MD5
3bdc83cec9bb5bb252e9f5305a4fea45

SHA1
f72c926a6862a7eee8a263384354f9f7889948f7

SHA256
b75b9780bad70797af4538f2ccc2b5f63c6b0f46d3a3758b53e9931738c20a71

SHA512
f54532bcfb5666749f9bd37b1b675b13d404d9d298283f2e416d9b14ff371a5ffdbaecc18f94349f5c5ab3137a3b5e51f64b0618b53704cfae89f152dc7c6c4d

Download Submit
memory/4120-132-0x0000000000000000-mapping.dmp

Download
memory/4980-137-0x0000000000000000-mapping.dmp

Download
memory/4980-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4980-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download