remcos | bf778ea445b149430eb6969bb6cb016bea268e5277bddbb4e0b2b96d14056400

Analysis

max time kernel
147s
max time network
125s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-01-2023 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf363fbedce9ffb27df68141303d9e070185953.exe
Size

396KB
MD5

ede54566379dc00e28e2330dc4d9e96b
SHA1

9cf363fbedce9ffb27df68141303d9e070185953
SHA256

bf778ea445b149430eb6969bb6cb016bea268e5277bddbb4e0b2b96d14056400
SHA512

fbb65b28eec14fb3dd8028e4226f2b7e5239fa77262797c8dd40e22770efb2f23f38cdd9b639c9b885043c2eb3534a3b6caed874722527bd2ece9c95dc1f07eb
SSDEEP

12288:GlUV1s9uxQ0djHuDsIhXMbkEODKiuLnL7ZJAdGyO+:2uPb+uL5J+RO+

Score

10^/10

remcos rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	2020	cmd.exe
13	2020	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1580	vlc.exe

Loads dropped DLL 2 IoCs

pid	Process
1580	vlc.exe
1580	vlc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\vlc.job	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	9cf363fbedce9ffb27df68141303d9e070185953.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	9cf363fbedce9ffb27df68141303d9e070185953.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	9cf363fbedce9ffb27df68141303d9e070185953.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1580	vlc.exe
1512	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1512	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1580 wrote to memory of 1512	1580	vlc.exe	30
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1512 wrote to memory of 2020	1512	cmd.exe	32
PID 1580 wrote to memory of 1512	1580	vlc.exe	30

C:\Users\Admin\AppData\Local\Temp\9cf363fbedce9ffb27df68141303d9e070185953.exe
"C:\Users\Admin\AppData\Local\Temp\9cf363fbedce9ffb27df68141303d9e070185953.exe"
1⤵
- Modifies system certificate store
PID:860

C:\Users\Admin\AppData\Roaming\661a4921\vlc.exe
"C:\Users\Admin\AppData\Roaming\661a4921\vlc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\661a4921\Fruit.png

Filesize
639KB

MD5
42efa98488feb44a3263486777867613

SHA1
88b9dfc35d69b8aaccf9b94490adf12bc18c3392

SHA256
38d5e259f91bd4d5cacca1fa26aede7e07b4b1c05cf532ec844267ec3b10352a

SHA512
3488d6d6178407818f093f7b952f2cc22e200d56b5f2788443e540da2f8566f5c60e7868bec77ac5218864bb59d83b0868ab3da59425ed1b2779349f6964a7e4

Download Submit
C:\Users\Admin\AppData\Roaming\661a4921\idea.cfg

Filesize
349B

MD5
231bb072bf60cee296270e77ef34db22

SHA1
8d6150c1131fe172624c94988ac8bd876e60f9bc

SHA256
8800bc402755b217e8ff4b2ee7604293febfafc492aa29139f7cd55bfd053d02

SHA512
ee672b0d9473cde3f084c547f7c052500dbfd2f58ea0a3980755cd2023c68ec8bc2497dd31ec79fe11c7eb5129ee7d1ba3e2a6f5c47851cd9cb94f22b185bcbe

Download Submit
C:\Users\Admin\AppData\Roaming\661a4921\idea.mp3

Filesize
36KB

MD5
0bd497e905a9ebd04eb0ec6adaf27a23

SHA1
3b116c5ad39439994245e1a0b64d1fe7ff156ab9

SHA256
0c8c431a1f589fdcf453c7afada63c2e2e2a887e49abdbb222983fa6044fdf66

SHA512
96b42ee35b122b06e03c484e30752987e70e914badf931f66a43cc8eb5c807835c09e2ae8164edc311f2985341acd601996e3d81e8f0a699272fda9a157028b4

Download Submit
C:\Users\Admin\AppData\Roaming\661a4921\libvlc.dll

Filesize
172KB

MD5
08ba25a0598f94a2e9e52c7c7608f6f6

SHA1
b2a91472e6dd04e7d74c6aec4122cdf8fde8e31c

SHA256
072d31910b2a1cd83341bb8270fd2eebd8ca5a6e01fa0c6339e0867f59d2f29e

SHA512
1dfa0a7886ed9d6f32ffb93af3df955dbe13e35532b6af5c10a82e360330e69a7e29e9dc410322a532e4ac632dd6c73dfc3a6b570f3f49e66e62e0ab4dfb672a

Download Submit
C:\Users\Admin\AppData\Roaming\661a4921\libvlccore.dll

Filesize
2.5MB

MD5
7cb37d19125c7bde789d909cbb195a92

SHA1
167557844fbfe7d9f5caac16db335ad4d8da487e

SHA256
b08d45acc972574c39e6be64ab281e0d9c1fcd13ee1e245aa19d2eb73301ecc6

SHA512
7aab773f86847cf8420ec01e5f6336a73e131ff6d24d99c2b7906029c2e127711bc1e150fe8319921761907ba1be83f244539e3e48df548bb5c596f70a8de1ec

Download Submit
C:\Users\Admin\AppData\Roaming\661a4921\vlc.exe

Filesize
938KB

MD5
4cf6217603dac78494d273bdd9a3de84

SHA1
66f9e3e9b40cd9e3e3d4d80791d8d166e908c7ad

SHA256
1a403269242218a67e401c7e321bf466ef6b381bc7cb8a56ea77d504f7f81a44

SHA512
8f1e4b9603063602ec2e19b6742dc5ecbd47c1a64428a2f0190d2a624eb8ccf5cb14f57261fab947725dc7f918c4ee13ca4e4ee8507f63f9585ec9c881894dd5

Download Submit
C:\Users\Admin\AppData\Roaming\661a4921\vlc.exe

Filesize
938KB

MD5
4cf6217603dac78494d273bdd9a3de84

SHA1
66f9e3e9b40cd9e3e3d4d80791d8d166e908c7ad

SHA256
1a403269242218a67e401c7e321bf466ef6b381bc7cb8a56ea77d504f7f81a44

SHA512
8f1e4b9603063602ec2e19b6742dc5ecbd47c1a64428a2f0190d2a624eb8ccf5cb14f57261fab947725dc7f918c4ee13ca4e4ee8507f63f9585ec9c881894dd5

Download Submit
\Users\Admin\AppData\Roaming\661a4921\libvlc.dll

Filesize
172KB

MD5
08ba25a0598f94a2e9e52c7c7608f6f6

SHA1
b2a91472e6dd04e7d74c6aec4122cdf8fde8e31c

SHA256
072d31910b2a1cd83341bb8270fd2eebd8ca5a6e01fa0c6339e0867f59d2f29e

SHA512
1dfa0a7886ed9d6f32ffb93af3df955dbe13e35532b6af5c10a82e360330e69a7e29e9dc410322a532e4ac632dd6c73dfc3a6b570f3f49e66e62e0ab4dfb672a

Download Submit
\Users\Admin\AppData\Roaming\661a4921\libvlccore.dll

Filesize
2.5MB

MD5
7cb37d19125c7bde789d909cbb195a92

SHA1
167557844fbfe7d9f5caac16db335ad4d8da487e

SHA256
b08d45acc972574c39e6be64ab281e0d9c1fcd13ee1e245aa19d2eb73301ecc6

SHA512
7aab773f86847cf8420ec01e5f6336a73e131ff6d24d99c2b7906029c2e127711bc1e150fe8319921761907ba1be83f244539e3e48df548bb5c596f70a8de1ec

Download Submit
memory/860-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1512-67-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1512-68-0x0000000005680000-0x000000000570E000-memory.dmp

Filesize
568KB

Download
memory/1512-69-0x0000000076EC0000-0x0000000077069000-memory.dmp

Filesize
1.7MB

Download
memory/1512-72-0x0000000005688000-0x0000000005698000-memory.dmp

Filesize
64KB

Download
memory/1580-60-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1580-66-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2020-74-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/2020-73-0x0000000076EC0000-0x0000000077069000-memory.dmp

Filesize
1.7MB

Download