remcos | 5ea7e1f0bac802c35592fcb8376962518b58841509377f7d4646b7693cbed7da

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2023 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.3MB
MD5

85dfaae133455ac2a1a983c68018b959
SHA1

c41d6f393044decaa3c3c0148a1dfad3835912da
SHA256

5ea7e1f0bac802c35592fcb8376962518b58841509377f7d4646b7693cbed7da
SHA512

b412cdf023fb8662f260f82fa756a70cb8b5fc23e54857cf4a9f60331dbec074592d9f63a819734472f8fb7b2522cb16f56340dc2e99d1aa7f35554b5bd97ef1
SSDEEP

24576:yWmAFubSZdt9McpKzfN8w0f/GNuoQk2UeZRf/h4hEKasiX:q2ZdRpKbOwwf1RSKVs6

Score

10^/10

remcos remotehost rat upx

Malware Config

Extracted

Family

remcos

Version

4.0.1 Light

Botnet

RemoteHost

80.66.75.41:24155

80.66.75.41:55535

80.66.75.41:36405

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MYECP1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2176	Engine.exe
4552	Current.exe.pif

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e05-133.dat	upx
behavioral2/files/0x0006000000022e05-134.dat	upx
behavioral2/memory/2176-136-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/2176-161-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/2176-162-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/1268-164-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1268-166-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1268-167-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1268-168-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1268-169-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1268-170-0x0000000000400000-0x000000000047C000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 1268	4552	Current.exe.pif	94

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{67546BE7-A436-484D-AEBA-F118F2A8BF29}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{B237B003-894E-4753-B983-43EDAD4D2BF9}	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3772	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
460	powershell.exe
460	powershell.exe
460	powershell.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
4552	Current.exe.pif
4552	Current.exe.pif
4552	Current.exe.pif
4552	Current.exe.pif
4552	Current.exe.pif
4552	Current.exe.pif
4552	Current.exe.pif
4552	Current.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4552	Current.exe.pif
4552	Current.exe.pif
4552	Current.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4552	Current.exe.pif
4552	Current.exe.pif
4552	Current.exe.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4376	OpenWith.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2176	4532	tmp.exe	80
PID 4532 wrote to memory of 2176	4532	tmp.exe	80
PID 4532 wrote to memory of 2176	4532	tmp.exe	80
PID 2176 wrote to memory of 844	2176	Engine.exe	82
PID 2176 wrote to memory of 844	2176	Engine.exe	82
PID 2176 wrote to memory of 844	2176	Engine.exe	82
PID 844 wrote to memory of 4268	844	cmd.exe	84
PID 844 wrote to memory of 4268	844	cmd.exe	84
PID 844 wrote to memory of 4268	844	cmd.exe	84
PID 4268 wrote to memory of 460	4268	cmd.exe	88
PID 4268 wrote to memory of 460	4268	cmd.exe	88
PID 4268 wrote to memory of 460	4268	cmd.exe	88
PID 4268 wrote to memory of 4736	4268	cmd.exe	89
PID 4268 wrote to memory of 4736	4268	cmd.exe	89
PID 4268 wrote to memory of 4736	4268	cmd.exe	89
PID 4268 wrote to memory of 3188	4268	cmd.exe	90
PID 4268 wrote to memory of 3188	4268	cmd.exe	90
PID 4268 wrote to memory of 3188	4268	cmd.exe	90
PID 4268 wrote to memory of 4552	4268	cmd.exe	91
PID 4268 wrote to memory of 4552	4268	cmd.exe	91
PID 4268 wrote to memory of 4552	4268	cmd.exe	91
PID 4268 wrote to memory of 3772	4268	cmd.exe	92
PID 4268 wrote to memory of 3772	4268	cmd.exe	92
PID 4268 wrote to memory of 3772	4268	cmd.exe	92
PID 4552 wrote to memory of 1268	4552	Current.exe.pif	94
PID 4552 wrote to memory of 1268	4552	Current.exe.pif	94
PID 4552 wrote to memory of 1268	4552	Current.exe.pif	94
PID 4552 wrote to memory of 1268	4552	Current.exe.pif	94
PID 4552 wrote to memory of 1268	4552	Current.exe.pif	94

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\SETUP_26185\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_26185\Engine.exe /TH_ID=_4612 /OriginExe="C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd < 8
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^DvneJWXewaDsmRhLmDRWkLsgJlBpGsauKkXrIdYtIAcMPbCfOEDyvvjRtpancNcKZbGgTleoEMhLdFmkHkxwNhKhYuYmYmIVtKMsQgvE$" 39
        5⤵
        
        PID:3188
    - - C:\Users\Admin\AppData\Local\Temp\3osyhkki.0sq\19251\Current.exe.pif
        
        19251\\Current.exe.pif 19251\\M
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\nslookup.exe
        
        C:\Windows\SysWOW64\nslookup.exe
        6⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 8
        5⤵
        Runs ping.exe
        
        PID:3772

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5f7c1f474f35af531f9f7fbc64c13a72

SHA1
2ff7739fd6f68d1b57e72ff8e6a84d0f5f54bafa

SHA256
3ac607a0d82954bf6ef761748437d0e53bc4ad03bd03c3f4bfc5489096fe65a5

SHA512
fbd0bb6014cc02f707e82f4868987812d11cbfb53143214b4d26d6e40abb57b0132830e091d249407d60d7ee123b1aaa7938fb6584a152ac67c6b006cd446c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\3osyhkki.0sq\19251\Current.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26185\00000#30

Filesize
970KB

MD5
fc0d1c31d8e7d05ba8111ed9799cf492

SHA1
a9d62107d1da26fd6094000ac0a25ba49d6ca1b0

SHA256
1838b1b4910d1a9ba1edb723dd574ff649f35a1c12a1e5801ff6813873cb5523

SHA512
977d7e32c32cff1729e0ff5dad244410755982471c436233e0eb2889b904ba014e1ca852378f7180826543475ec5464cce5785b6b99f3b71967d399144b6ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26185\00001#39

Filesize
872KB

MD5
824b8173f90d902258da3b255519d0c8

SHA1
fbda8221cdb2a44fa6b91a2e407e95cdaccbcb58

SHA256
28da5a81ce518399c6074751b4823e2b1c166b53bcd0a21dcadc87d4496fa8e0

SHA512
1bbc1fe373267a0eeeabde6a8d491b82c0e15b81358fc8a588cd950fbe42b6bed70b28643afa142090a00b7085e3cd239c30151207cb1759578a6583352ae272

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26185\00002#8

Filesize
12KB

MD5
5f0114452c680ae20876ac94c26326bd

SHA1
4d2e23c5928dffe3d958d1ce1c42cbcc76c02dc9

SHA256
b66ea313edb1478de53d964414b2f61177d31d132b3fe1dd205df7dcc3b93019

SHA512
0103f6e25b61322c3f4beb490f96556693fbf2af463a95569c19c984fe8ece242dec0d4180ef903b873c1dd4faa02bf118d419fa0a1c4633df524ac220ed609a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26185\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26185\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26185\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_26185\Setup.txt

Filesize
2KB

MD5
7de6d0618810234a1fab91b4019fdf66

SHA1
c83ab90f1e25a6289cf854a0755efe7414fe6ca8

SHA256
cd8d8e6a720a16958b46408944d009f726cbbd06ef15660897adb59f870b3d7a

SHA512
cf9795170cc19777bef6948f529fc03ac6240cced4e3942b1abf50f0d68ea3ccb0f93b4bfe81f27e1c9e7a799755e58d74600fa1897ba957288921f857656cec

Download Submit
memory/460-150-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/460-151-0x0000000006B80000-0x0000000006B9A000-memory.dmp

Filesize
104KB

Download
memory/460-144-0x0000000002D80000-0x0000000002DB6000-memory.dmp

Filesize
216KB

Download
memory/460-145-0x00000000057A0000-0x0000000005DC8000-memory.dmp

Filesize
6.2MB

Download
memory/460-146-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/460-147-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/460-148-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/460-149-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/460-153-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/460-152-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

Filesize
136KB

Download
memory/1268-170-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1268-169-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1268-168-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1268-167-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1268-166-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1268-164-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2176-161-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2176-162-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2176-136-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download