remcos | f0e74e898047aee18b1ea7d0b0914ffd8bcd5c42b8bea13740b4e6889c811f14

General

Target

RFQ-01.300.TRGVH.exe
Size

1012KB
MD5

b6a6fc8a799dd7d74a93685b36e42f94
SHA1

96ee3eaf5acd15c65e0ff338a715d177439141fd
SHA256

34e71ffe582c188deddcd4d31823cac8abe3c24880a0e85f5806140db9b6c8ab
SHA512

bedf43a2dee32d43e71e68a0d47304dda4022589df4d5e93b5a6b623c629d2a6d630c6bb4a13a269969064efa24680ba350957e1c269e68d7b720ac0fa6c6f8f
SSDEEP

24576:Uomxi8UzasrFA6QTM4mXdNvuJ65fyIWAAmPPWgHOTB+QF/7:UoKXyhrFCM4mtNvuJ65fymAmPPWgHyMQ

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CMFPLR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ-01.300.TRGVH.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RFQ-01.300.TRGVH.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ-01.300.TRGVH.exe

description pid process target process

PID 1448 set thread context of 4556 1448 RFQ-01.300.TRGVH.exe RFQ-01.300.TRGVH.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3176 schtasks.exe

description	pid	process	target process
PID 1448 set thread context of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe

pid	process
3176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

RFQ-01.300.TRGVH.exepowershell.exepowershell.exe

pid	process
1448	RFQ-01.300.TRGVH.exe
1448	RFQ-01.300.TRGVH.exe
1448	RFQ-01.300.TRGVH.exe
1448	RFQ-01.300.TRGVH.exe
1448	RFQ-01.300.TRGVH.exe
1448	RFQ-01.300.TRGVH.exe
5004	powershell.exe
648	powershell.exe
1448	RFQ-01.300.TRGVH.exe
648	powershell.exe
5004	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ-01.300.TRGVH.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1448	RFQ-01.300.TRGVH.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RFQ-01.300.TRGVH.exe

pid process

4556 RFQ-01.300.TRGVH.exe

pid	process
4556	RFQ-01.300.TRGVH.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RFQ-01.300.TRGVH.exe

description	pid	process	target process
PID 1448 wrote to memory of 648	1448	RFQ-01.300.TRGVH.exe	powershell.exe
PID 1448 wrote to memory of 648	1448	RFQ-01.300.TRGVH.exe	powershell.exe
PID 1448 wrote to memory of 648	1448	RFQ-01.300.TRGVH.exe	powershell.exe
PID 1448 wrote to memory of 5004	1448	RFQ-01.300.TRGVH.exe	powershell.exe
PID 1448 wrote to memory of 5004	1448	RFQ-01.300.TRGVH.exe	powershell.exe
PID 1448 wrote to memory of 5004	1448	RFQ-01.300.TRGVH.exe	powershell.exe
PID 1448 wrote to memory of 3176	1448	RFQ-01.300.TRGVH.exe	schtasks.exe
PID 1448 wrote to memory of 3176	1448	RFQ-01.300.TRGVH.exe	schtasks.exe
PID 1448 wrote to memory of 3176	1448	RFQ-01.300.TRGVH.exe	schtasks.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe
PID 1448 wrote to memory of 4556	1448	RFQ-01.300.TRGVH.exe	RFQ-01.300.TRGVH.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-01.300.TRGVH.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-01.300.TRGVH.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ-01.300.TRGVH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dnyWDvH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dnyWDvH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC71.tmp"
2⤵
- Creates scheduled task(s)
PID:3176

C:\Users\Admin\AppData\Local\Temp\RFQ-01.300.TRGVH.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-01.300.TRGVH.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
55KB

MD5
4c7b892c59fbbd4a5e8f900ef37d5466

SHA1
3165a5d540ad9146f9bfee8178cc477f267f4f60

SHA256
95041b0f6010a88e53a23b0e0ea1ec9cb9512828d03db4a0be2326ba3030d557

SHA512
7b344af9ebe5e6a43002d4850627ec44b6412e6582500dbbaef6833a4e4b36fbb64a3e82b661a68c5d50441dd84504cf0961453b3fd5dfc9b3684a453e1fe490

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC71.tmp
Filesize
1KB

MD5
a865b3ee71d27ed2f5d15e99b822bd46

SHA1
93cb23e5fda3b36d32c8eb31b7c6810c261083fd

SHA256
deb16e641eae9bac288c26a75c844aca8601901bd93071fd21bffe4c4c822f69

SHA512
370e9e430e218469c7bad46a1640110becbf3935803ac78b4934e0e4a08738fb1f902fff879aa53e9f3cc224cdc510cd689e544c455745e712f0c3e1e8e35515

Download Submit
memory/648-163-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/648-161-0x0000000007210000-0x00000000072A6000-memory.dmp

Filesize
600KB

Download
memory/648-152-0x0000000006C40000-0x0000000006C72000-memory.dmp

Filesize
200KB

Download
memory/648-137-0x0000000000000000-mapping.dmp

Download
memory/648-145-0x0000000004DE0000-0x0000000004E46000-memory.dmp

Filesize
408KB

Download
memory/648-140-0x0000000002380000-0x00000000023B6000-memory.dmp

Filesize
216KB

Download
memory/648-162-0x00000000071F0000-0x00000000071FE000-memory.dmp

Filesize
56KB

Download
memory/648-141-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/648-155-0x0000000070C40000-0x0000000070C8C000-memory.dmp

Filesize
304KB

Download
memory/648-143-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/648-144-0x0000000004D70000-0x0000000004DD6000-memory.dmp

Filesize
408KB

Download
memory/1448-136-0x000000000ACE0000-0x000000000AD7C000-memory.dmp

Filesize
624KB

Download
memory/1448-135-0x0000000004F40000-0x0000000004F4A000-memory.dmp

Filesize
40KB

Download
memory/1448-132-0x00000000005E0000-0x00000000006E2000-memory.dmp

Filesize
1.0MB

Download
memory/1448-134-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/1448-133-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/3176-139-0x0000000000000000-mapping.dmp

Download
memory/4556-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4556-159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4556-146-0x0000000000000000-mapping.dmp

Download
memory/4556-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4556-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4556-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5004-154-0x00000000067B0000-0x00000000067CE000-memory.dmp

Filesize
120KB

Download
memory/5004-158-0x0000000007580000-0x000000000758A000-memory.dmp

Filesize
40KB

Download
memory/5004-157-0x0000000007510000-0x000000000752A000-memory.dmp

Filesize
104KB

Download
memory/5004-156-0x0000000007B60000-0x00000000081DA000-memory.dmp

Filesize
6.5MB

Download
memory/5004-151-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/5004-153-0x0000000070C40000-0x0000000070C8C000-memory.dmp

Filesize
304KB

Download
memory/5004-138-0x0000000000000000-mapping.dmp

Download
memory/5004-164-0x0000000007830000-0x0000000007838000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads