remcos | c8fa17c1ffbda1e9adbba756824dd1beabce76fec69ea1f7d0687468bb05a132

General

Target

New Order PDF.exe
Size

972KB
MD5

6b91999eed261497a9e403af49e28374
SHA1

2a829d4b37e6ddd459ca4cd90aa4491aa323c435
SHA256

884595517122fb44145dccadc5962fed083effe1a8a24705972815503ecc579c
SHA512

7959076b081cd44f811c28b9df75997c903a4289e9793475c6fe7f6d69e40519b0bc9598ee91bfa008f65b7a17fb070d15f84a2a642db828bcfec5b293de54c7
SSDEEP

24576:2BYTW/5Eonh2qRoqNsnalXIIOXCGDEgVxtnJb9/Q+B:/aqonh2qRoMsnbRyGpxtnJb5

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	New Order PDF.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 2604	4972	New Order PDF.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4972	New Order PDF.exe
4972	New Order PDF.exe
4972	New Order PDF.exe
4972	New Order PDF.exe
4972	New Order PDF.exe
4972	New Order PDF.exe
2124	powershell.exe
1696	powershell.exe
2124	powershell.exe
4972	New Order PDF.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	New Order PDF.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2604	New Order PDF.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2124	4972	New Order PDF.exe	89
PID 4972 wrote to memory of 2124	4972	New Order PDF.exe	89
PID 4972 wrote to memory of 2124	4972	New Order PDF.exe	89
PID 4972 wrote to memory of 1696	4972	New Order PDF.exe	91
PID 4972 wrote to memory of 1696	4972	New Order PDF.exe	91
PID 4972 wrote to memory of 1696	4972	New Order PDF.exe	91
PID 4972 wrote to memory of 1060	4972	New Order PDF.exe	93
PID 4972 wrote to memory of 1060	4972	New Order PDF.exe	93
PID 4972 wrote to memory of 1060	4972	New Order PDF.exe	93
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95
PID 4972 wrote to memory of 2604	4972	New Order PDF.exe	95

C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe
"C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LVjVfOCJZJIc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LVjVfOCJZJIc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4815.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
92c18eee639bed8aa29da26541645920

SHA1
b48ed61aa5d6d2345a43f112aded5446541e0b4e

SHA256
68d3484cf4d57cac16824ca4dd84ae1344ff53188bd077d22514572d26e60f1c

SHA512
6763fcb354e8dea1b42e16811082a20214cc1406bd3dfb2cf495884f90310e55615e490239639d0e6681213e96551235b63825c1e8a73fb3675a74397c376106

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4815.tmp

Filesize
1KB

MD5
135f797ca2ac7d2a8d9a6c77ac07855b

SHA1
2fc60cc6de313c5684d31feee47e659ab1b42513

SHA256
654189e0ff14d39bc4dc385c2b8513d21f4eb66a035a1c72ff7cd739858ecd64

SHA512
2807cb015604fd8f1960ad2002177b4d3e43ee70aa978704ca61866f2f4ad7f06bcc184ec8ce6f548b7de98d381ea0cbadd23f5b3e05eb82d57a1d4bd31e4737

Download Submit
memory/1060-140-0x0000000000000000-mapping.dmp

Download
memory/1696-138-0x0000000000000000-mapping.dmp

Download
memory/1696-160-0x00000000071E0000-0x00000000071EE000-memory.dmp

Filesize
56KB

Download
memory/1696-154-0x0000000073B90000-0x0000000073BDC000-memory.dmp

Filesize
304KB

Download
memory/1696-161-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/1696-159-0x0000000007230000-0x00000000072C6000-memory.dmp

Filesize
600KB

Download
memory/1696-158-0x0000000007020000-0x000000000702A000-memory.dmp

Filesize
40KB

Download
memory/1696-162-0x00000000072D0000-0x00000000072D8000-memory.dmp

Filesize
32KB

Download
memory/1696-157-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/1696-144-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/2124-139-0x00000000052D0000-0x0000000005306000-memory.dmp

Filesize
216KB

Download
memory/2124-155-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

Filesize
120KB

Download
memory/2124-137-0x0000000000000000-mapping.dmp

Download
memory/2124-141-0x0000000005A30000-0x0000000006058000-memory.dmp

Filesize
6.2MB

Download
memory/2124-156-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/2124-150-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/2124-143-0x0000000006090000-0x00000000060B2000-memory.dmp

Filesize
136KB

Download
memory/2124-152-0x0000000006EB0000-0x0000000006EE2000-memory.dmp

Filesize
200KB

Download
memory/2124-153-0x0000000073B90000-0x0000000073BDC000-memory.dmp

Filesize
304KB

Download
memory/2124-145-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/2604-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2604-146-0x0000000000000000-mapping.dmp

Download
memory/2604-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2604-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2604-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2604-165-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4972-132-0x0000000000DA0000-0x0000000000E9A000-memory.dmp

Filesize
1000KB

Download
memory/4972-136-0x0000000007F20000-0x0000000007FBC000-memory.dmp

Filesize
624KB

Download
memory/4972-135-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/4972-134-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/4972-133-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads