remcos | c99b050645ebbc138018a9dcb4c3029bc1a9aa9376e7541c1011e815942948e1

Resubmissions

01-02-2023 17:02

230201-vj6p3aah39 10

01-02-2023 17:00

230201-vjf5eacg4s 10

01-02-2023 16:57

230201-vgbrxacg2y 10

Analysis

max time kernel
600s
max time network
576s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2023 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL SHIPPING DOC PDF.exe
Size

1.0MB
MD5

6d452842eeb2efa505763049d59c553a
SHA1

e13f2202155e12573a985b5df24319e5320f588e
SHA256

52e2a0d6ec4940ac71db48d62f8de4fa9ea7ea4a0abfaff91175ea2e0ec0d998
SHA512

c37faf01a77690351e6cd47196821dddca39a3df07a9286b17e2916fc107429ddadc5dc9fa695bfb52ab8105a1e41b1367c6d68472dac64ecb47f9a9be4add54
SSDEEP

24576:uL5mA6W5L4EAyxtiH5wkm99RtPK7TQXQyRU5JqG4yPa:eJ41OtiH5wbbRucXQyRU8

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL SHIPPING DOC PDF.exe

description pid process target process

PID 2700 set thread context of 3144 2700 DHL SHIPPING DOC PDF.exe DHL SHIPPING DOC PDF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

64 schtasks.exe

description	pid	process	target process
PID 2700 set thread context of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe

pid	process
64	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DHL SHIPPING DOC PDF.exepowershell.exepowershell.exe

pid	process
2700	DHL SHIPPING DOC PDF.exe
2700	DHL SHIPPING DOC PDF.exe
2700	DHL SHIPPING DOC PDF.exe
2700	DHL SHIPPING DOC PDF.exe
2700	DHL SHIPPING DOC PDF.exe
2700	DHL SHIPPING DOC PDF.exe
2700	DHL SHIPPING DOC PDF.exe
2700	DHL SHIPPING DOC PDF.exe
2368	powershell.exe
1300	powershell.exe
2368	powershell.exe
1300	powershell.exe
1300	powershell.exe
2368	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DHL SHIPPING DOC PDF.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2700	DHL SHIPPING DOC PDF.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DHL SHIPPING DOC PDF.exe

pid process

3144 DHL SHIPPING DOC PDF.exe

pid	process
3144	DHL SHIPPING DOC PDF.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

DHL SHIPPING DOC PDF.exe

description	pid	process	target process
PID 2700 wrote to memory of 2368	2700	DHL SHIPPING DOC PDF.exe	powershell.exe
PID 2700 wrote to memory of 2368	2700	DHL SHIPPING DOC PDF.exe	powershell.exe
PID 2700 wrote to memory of 2368	2700	DHL SHIPPING DOC PDF.exe	powershell.exe
PID 2700 wrote to memory of 1300	2700	DHL SHIPPING DOC PDF.exe	powershell.exe
PID 2700 wrote to memory of 1300	2700	DHL SHIPPING DOC PDF.exe	powershell.exe
PID 2700 wrote to memory of 1300	2700	DHL SHIPPING DOC PDF.exe	powershell.exe
PID 2700 wrote to memory of 64	2700	DHL SHIPPING DOC PDF.exe	schtasks.exe
PID 2700 wrote to memory of 64	2700	DHL SHIPPING DOC PDF.exe	schtasks.exe
PID 2700 wrote to memory of 64	2700	DHL SHIPPING DOC PDF.exe	schtasks.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe
PID 2700 wrote to memory of 3144	2700	DHL SHIPPING DOC PDF.exe	DHL SHIPPING DOC PDF.exe

C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DOC PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DOC PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DOC PDF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gpnAwW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gpnAwW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EBE.tmp"
2⤵
- Creates scheduled task(s)
PID:64

C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DOC PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING DOC PDF.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c0beab894e96b2c1fa5626f09cd5dbbe

SHA1
f98e46aa30a9af586dfcfce515a95a443fcc49f9

SHA256
4f43baf41ccaf54ce3eda0767b0992293e93aed8b8d054cf1519c17e3375bd46

SHA512
bff26e694565b270ad7b4add3f9002c2c2d4ceb2875065270570ac93437d966303258ff82be7b23651e554508ecb789f96728eddb53ea961b8904e592f022c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EBE.tmp
Filesize
1KB

MD5
bf2b6e56d2cc41fa3bb80714ebca491e

SHA1
333ff1eb7c3a19f515015461dd4ef5f1c09e6469

SHA256
6e15bb6a61e4eeb572dc48b20749b502eec706daa6076b878fcc50042d9735b7

SHA512
3f74282228b11630cc05dc4c58a1589172c25747104270d17403b98794b228813dd44095b2a43159919d0c353318a1ce78fb0a01ad7a60c6010609c043a0ea51

Download Submit
memory/64-200-0x0000000000000000-mapping.dmp

Download
memory/1300-386-0x00000000086F0000-0x000000000873B000-memory.dmp

Filesize
300KB

Download
memory/1300-870-0x0000000007580000-0x0000000007588000-memory.dmp

Filesize
32KB

Download
memory/1300-198-0x0000000000000000-mapping.dmp

Download
memory/1300-385-0x0000000007AD0000-0x0000000007AEC000-memory.dmp

Filesize
112KB

Download
memory/2368-448-0x0000000008D80000-0x0000000008E25000-memory.dmp

Filesize
660KB

Download
memory/2368-400-0x0000000007BC0000-0x0000000007C36000-memory.dmp

Filesize
472KB

Download
memory/2368-430-0x0000000008A40000-0x0000000008A73000-memory.dmp

Filesize
204KB

Download
memory/2368-431-0x0000000008A20000-0x0000000008A3E000-memory.dmp

Filesize
120KB

Download
memory/2368-380-0x0000000007570000-0x00000000078C0000-memory.dmp

Filesize
3.3MB

Download
memory/2368-377-0x0000000007500000-0x0000000007566000-memory.dmp

Filesize
408KB

Download
memory/2368-375-0x00000000073E0000-0x0000000007446000-memory.dmp

Filesize
408KB

Download
memory/2368-371-0x0000000006B00000-0x0000000006B22000-memory.dmp

Filesize
136KB

Download
memory/2368-309-0x0000000006BD0000-0x00000000071F8000-memory.dmp

Filesize
6.2MB

Download
memory/2368-289-0x00000000040F0000-0x0000000004126000-memory.dmp

Filesize
216KB

Download
memory/2368-192-0x0000000000000000-mapping.dmp

Download
memory/2368-455-0x0000000008F60000-0x0000000008FF4000-memory.dmp

Filesize
592KB

Download
memory/2368-861-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

Filesize
104KB

Download
memory/2700-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-149-0x0000000000F60000-0x0000000001068000-memory.dmp

Filesize
1.0MB

Download
memory/2700-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-152-0x0000000005D40000-0x000000000623E000-memory.dmp

Filesize
5.0MB

Download
memory/2700-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-154-0x00000000058E0000-0x0000000005972000-memory.dmp

Filesize
584KB

Download
memory/2700-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/2700-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-178-0x0000000005B00000-0x0000000005B14000-memory.dmp

Filesize
80KB

Download
memory/2700-179-0x0000000009080000-0x000000000911C000-memory.dmp

Filesize
624KB

Download
memory/2700-180-0x0000000005D30000-0x0000000005D3A000-memory.dmp

Filesize
40KB

Download
memory/2700-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-182-0x00000000092B0000-0x0000000009362000-memory.dmp

Filesize
712KB

Download
memory/2700-183-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-184-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-185-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-186-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-268-0x0000000009690000-0x000000000970C000-memory.dmp

Filesize
496KB

Download
memory/2700-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-122-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-119-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/3144-831-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3144-391-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3144-274-0x0000000000432C26-mapping.dmp

Download