remcos | 8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/02/2023, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

309d1ce137da38edc89f2914b546721d.exe
Size

300.0MB
MD5

309d1ce137da38edc89f2914b546721d
SHA1

2804df449ae311043b86d8cba0217ce63cf768da
SHA256

8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671
SHA512

ae6185276db991f457055be7b6a91bd205bcdf12b72d7e2d4129cb9fd76324923aa8b247996731f9dfaa39fba19efc1d90c8c28c814ad5678b9f4ad339501b9c
SSDEEP

12288:jHHE8OGQCuVPU5bxQBRipJjJFzeKD5bD:jHHXO7PEbxQBqJDpFD

Score

10^/10

remcos bless rat

Malware Config

Extracted

Family

remcos

Botnet

BLESS

prosperidad777.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9LORVW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
776	rops.exe
1612	rops.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 776 set thread context of 764	776	rops.exe	37
PID 1612 set thread context of 1744	1612	rops.exe	46

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1292	schtasks.exe
1644	schtasks.exe
568	schtasks.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1296	csc.exe
764	csc.exe
1744	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1296	2008	309d1ce137da38edc89f2914b546721d.exe	27
PID 2008 wrote to memory of 1372	2008	309d1ce137da38edc89f2914b546721d.exe	28
PID 2008 wrote to memory of 1372	2008	309d1ce137da38edc89f2914b546721d.exe	28
PID 2008 wrote to memory of 1372	2008	309d1ce137da38edc89f2914b546721d.exe	28
PID 2008 wrote to memory of 1372	2008	309d1ce137da38edc89f2914b546721d.exe	28
PID 2008 wrote to memory of 1100	2008	309d1ce137da38edc89f2914b546721d.exe	30
PID 2008 wrote to memory of 1100	2008	309d1ce137da38edc89f2914b546721d.exe	30
PID 2008 wrote to memory of 1100	2008	309d1ce137da38edc89f2914b546721d.exe	30
PID 2008 wrote to memory of 1100	2008	309d1ce137da38edc89f2914b546721d.exe	30
PID 1100 wrote to memory of 1292	1100	cmd.exe	32
PID 1100 wrote to memory of 1292	1100	cmd.exe	32
PID 1100 wrote to memory of 1292	1100	cmd.exe	32
PID 1100 wrote to memory of 1292	1100	cmd.exe	32
PID 2008 wrote to memory of 1884	2008	309d1ce137da38edc89f2914b546721d.exe	33
PID 2008 wrote to memory of 1884	2008	309d1ce137da38edc89f2914b546721d.exe	33
PID 2008 wrote to memory of 1884	2008	309d1ce137da38edc89f2914b546721d.exe	33
PID 2008 wrote to memory of 1884	2008	309d1ce137da38edc89f2914b546721d.exe	33
PID 868 wrote to memory of 776	868	taskeng.exe	36
PID 868 wrote to memory of 776	868	taskeng.exe	36
PID 868 wrote to memory of 776	868	taskeng.exe	36
PID 868 wrote to memory of 776	868	taskeng.exe	36
PID 868 wrote to memory of 776	868	taskeng.exe	36
PID 868 wrote to memory of 776	868	taskeng.exe	36
PID 868 wrote to memory of 776	868	taskeng.exe	36
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 764	776	rops.exe	37
PID 776 wrote to memory of 1560	776	rops.exe	38
PID 776 wrote to memory of 1560	776	rops.exe	38
PID 776 wrote to memory of 1560	776	rops.exe	38
PID 776 wrote to memory of 1560	776	rops.exe	38
PID 776 wrote to memory of 1128	776	rops.exe	39
PID 776 wrote to memory of 1128	776	rops.exe	39
PID 776 wrote to memory of 1128	776	rops.exe	39
PID 776 wrote to memory of 1128	776	rops.exe	39
PID 776 wrote to memory of 1212	776	rops.exe	41
PID 776 wrote to memory of 1212	776	rops.exe	41
PID 776 wrote to memory of 1212	776	rops.exe	41
PID 776 wrote to memory of 1212	776	rops.exe	41
PID 1128 wrote to memory of 1644	1128	cmd.exe	43
PID 1128 wrote to memory of 1644	1128	cmd.exe	43
PID 1128 wrote to memory of 1644	1128	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\309d1ce137da38edc89f2914b546721d.exe
"C:\Users\Admin\AppData\Local\Temp\309d1ce137da38edc89f2914b546721d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1296
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\rops"
  2⤵
  PID:1372
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\309d1ce137da38edc89f2914b546721d.exe" "C:\Users\Admin\AppData\Roaming\rops\rops.exe"
  2⤵
  PID:1884

C:\Windows\system32\taskeng.exe
taskeng.exe {3727689B-3665-49A1-A7C4-6662F0C5A7C4} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Roaming\rops\rops.exe
  C:\Users\Admin\AppData\Roaming\rops\rops.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\rops"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\rops\rops.exe" "C:\Users\Admin\AppData\Roaming\rops\rops.exe"
    3⤵
    PID:1212
- C:\Users\Admin\AppData\Roaming\rops\rops.exe
  C:\Users\Admin\AppData\Roaming\rops\rops.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\rops"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\rops\rops.exe" "C:\Users\Admin\AppData\Roaming\rops\rops.exe"
    3⤵
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
248B

MD5
7d296ca27e145adced09998a5b7fb9dd

SHA1
ae3243612739f016956f1b6d9e62524b80e58150

SHA256
e38052a1a410290aff1316b16507109e02bb914c2b504608da82bb3e3cfa36cd

SHA512
9e49d4f3b4a75dcf230b54f3afce10ff7fe272f1ab63dc03e6b828ce3834d7b1e5261586950b3edeca9d19346a53a312d4cb3f8f03daa4ad3cba8d4810ccde31

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
248B

MD5
7d296ca27e145adced09998a5b7fb9dd

SHA1
ae3243612739f016956f1b6d9e62524b80e58150

SHA256
e38052a1a410290aff1316b16507109e02bb914c2b504608da82bb3e3cfa36cd

SHA512
9e49d4f3b4a75dcf230b54f3afce10ff7fe272f1ab63dc03e6b828ce3834d7b1e5261586950b3edeca9d19346a53a312d4cb3f8f03daa4ad3cba8d4810ccde31

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
372B

MD5
fef334d88e3a859345cc97cb272f90a0

SHA1
3db799d5b0ebb647ae32acb83ed81b105e7596c0

SHA256
c447275e047d18b140f72699a1b35a628722c794c21105355bc0e919ad5a6663

SHA512
77769220312a406b0b9c6387156c710cf45ef5ad0c4fe0b2953245171c9f2fb67c36715ea196b317ae9835d50f47098db8f65a186f58d776ef21fb750f617d83

Download Submit
C:\Users\Admin\AppData\Roaming\rops\rops.exe

Filesize
300.0MB

MD5
309d1ce137da38edc89f2914b546721d

SHA1
2804df449ae311043b86d8cba0217ce63cf768da

SHA256
8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671

SHA512
ae6185276db991f457055be7b6a91bd205bcdf12b72d7e2d4129cb9fd76324923aa8b247996731f9dfaa39fba19efc1d90c8c28c814ad5678b9f4ad339501b9c

Download Submit
C:\Users\Admin\AppData\Roaming\rops\rops.exe

Filesize
300.0MB

MD5
309d1ce137da38edc89f2914b546721d

SHA1
2804df449ae311043b86d8cba0217ce63cf768da

SHA256
8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671

SHA512
ae6185276db991f457055be7b6a91bd205bcdf12b72d7e2d4129cb9fd76324923aa8b247996731f9dfaa39fba19efc1d90c8c28c814ad5678b9f4ad339501b9c

Download Submit
C:\Users\Admin\AppData\Roaming\rops\rops.exe

Filesize
300.0MB

MD5
309d1ce137da38edc89f2914b546721d

SHA1
2804df449ae311043b86d8cba0217ce63cf768da

SHA256
8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671

SHA512
ae6185276db991f457055be7b6a91bd205bcdf12b72d7e2d4129cb9fd76324923aa8b247996731f9dfaa39fba19efc1d90c8c28c814ad5678b9f4ad339501b9c

Download Submit
memory/764-108-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/776-82-0x0000000000FE0000-0x000000000107A000-memory.dmp

Filesize
616KB

Download
memory/1296-56-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-63-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-57-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-59-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-61-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1296-62-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1612-111-0x0000000000310000-0x00000000003AA000-memory.dmp

Filesize
616KB

Download
memory/1744-134-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/1744-141-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-54-0x0000000000EC0000-0x0000000000F5A000-memory.dmp

Filesize
616KB

Download
memory/2008-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads