remcos | 8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2023, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

309d1ce137da38edc89f2914b546721d.exe
Size

300.0MB
MD5

309d1ce137da38edc89f2914b546721d
SHA1

2804df449ae311043b86d8cba0217ce63cf768da
SHA256

8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671
SHA512

ae6185276db991f457055be7b6a91bd205bcdf12b72d7e2d4129cb9fd76324923aa8b247996731f9dfaa39fba19efc1d90c8c28c814ad5678b9f4ad339501b9c
SSDEEP

12288:jHHE8OGQCuVPU5bxQBRipJjJFzeKD5bD:jHHXO7PEbxQBqJDpFD

Score

10^/10

remcos bless rat

Malware Config

Extracted

Family

remcos

Botnet

BLESS

prosperidad777.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9LORVW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
4440	rops.exe
4752	rops.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4136 set thread context of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4440 set thread context of 4376	4440	rops.exe	106
PID 4752 set thread context of 1948	4752	rops.exe	110

Program crash 2 IoCs

pid	pid_target	Process	procid_target
992	4376	WerFault.exe	106
3000	1948	WerFault.exe	110

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
732	schtasks.exe
2388	schtasks.exe
2244	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5020	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 5020	4136	309d1ce137da38edc89f2914b546721d.exe	83
PID 4136 wrote to memory of 4732	4136	309d1ce137da38edc89f2914b546721d.exe	84
PID 4136 wrote to memory of 4732	4136	309d1ce137da38edc89f2914b546721d.exe	84
PID 4136 wrote to memory of 4732	4136	309d1ce137da38edc89f2914b546721d.exe	84
PID 4136 wrote to memory of 4420	4136	309d1ce137da38edc89f2914b546721d.exe	85
PID 4136 wrote to memory of 4420	4136	309d1ce137da38edc89f2914b546721d.exe	85
PID 4136 wrote to memory of 4420	4136	309d1ce137da38edc89f2914b546721d.exe	85
PID 4136 wrote to memory of 4336	4136	309d1ce137da38edc89f2914b546721d.exe	87
PID 4136 wrote to memory of 4336	4136	309d1ce137da38edc89f2914b546721d.exe	87
PID 4136 wrote to memory of 4336	4136	309d1ce137da38edc89f2914b546721d.exe	87
PID 4420 wrote to memory of 732	4420	cmd.exe	90
PID 4420 wrote to memory of 732	4420	cmd.exe	90
PID 4420 wrote to memory of 732	4420	cmd.exe	90
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4376	4440	rops.exe	106
PID 4440 wrote to memory of 4448	4440	rops.exe	104
PID 4440 wrote to memory of 4448	4440	rops.exe	104
PID 4440 wrote to memory of 4448	4440	rops.exe	104
PID 4440 wrote to memory of 1476	4440	rops.exe	103
PID 4440 wrote to memory of 1476	4440	rops.exe	103
PID 4440 wrote to memory of 1476	4440	rops.exe	103
PID 4440 wrote to memory of 2272	4440	rops.exe	101
PID 4440 wrote to memory of 2272	4440	rops.exe	101
PID 4440 wrote to memory of 2272	4440	rops.exe	101
PID 1476 wrote to memory of 2388	1476	cmd.exe	108
PID 1476 wrote to memory of 2388	1476	cmd.exe	108
PID 1476 wrote to memory of 2388	1476	cmd.exe	108
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1948	4752	rops.exe	110
PID 4752 wrote to memory of 1280	4752	rops.exe	111
PID 4752 wrote to memory of 1280	4752	rops.exe	111
PID 4752 wrote to memory of 1280	4752	rops.exe	111
PID 4752 wrote to memory of 608	4752	rops.exe	112

C:\Users\Admin\AppData\Local\Temp\309d1ce137da38edc89f2914b546721d.exe
"C:\Users\Admin\AppData\Local\Temp\309d1ce137da38edc89f2914b546721d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5020
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\rops"
  2⤵
  PID:4732
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\309d1ce137da38edc89f2914b546721d.exe" "C:\Users\Admin\AppData\Roaming\rops\rops.exe"
  2⤵
  PID:4336

C:\Users\Admin\AppData\Roaming\rops\rops.exe
C:\Users\Admin\AppData\Roaming\rops\rops.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\rops\rops.exe" "C:\Users\Admin\AppData\Roaming\rops\rops.exe"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\rops"
  2⤵
  PID:4448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 512
    3⤵
    - Program crash
    PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4376 -ip 4376
1⤵
PID:404

C:\Users\Admin\AppData\Roaming\rops\rops.exe
C:\Users\Admin\AppData\Roaming\rops\rops.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 512
    3⤵
    - Program crash
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\rops"
  2⤵
  PID:1280
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
  2⤵
  PID:608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rops\rops.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\rops\rops.exe" "C:\Users\Admin\AppData\Roaming\rops\rops.exe"
  2⤵
  PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1948 -ip 1948
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rops.exe.log

Filesize
517B

MD5
13f84b613e6a4dd2d82f7c44b2295a04

SHA1
f9e07213c2825ecb28e732f3e66e07625747c4b3

SHA256
d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33

SHA512
3a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d

Download Submit
C:\Users\Admin\AppData\Roaming\rops\rops.exe

Filesize
300.0MB

MD5
309d1ce137da38edc89f2914b546721d

SHA1
2804df449ae311043b86d8cba0217ce63cf768da

SHA256
8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671

SHA512
ae6185276db991f457055be7b6a91bd205bcdf12b72d7e2d4129cb9fd76324923aa8b247996731f9dfaa39fba19efc1d90c8c28c814ad5678b9f4ad339501b9c

Download Submit
C:\Users\Admin\AppData\Roaming\rops\rops.exe

Filesize
300.0MB

MD5
309d1ce137da38edc89f2914b546721d

SHA1
2804df449ae311043b86d8cba0217ce63cf768da

SHA256
8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671

SHA512
ae6185276db991f457055be7b6a91bd205bcdf12b72d7e2d4129cb9fd76324923aa8b247996731f9dfaa39fba19efc1d90c8c28c814ad5678b9f4ad339501b9c

Download Submit
C:\Users\Admin\AppData\Roaming\rops\rops.exe

Filesize
300.0MB

MD5
309d1ce137da38edc89f2914b546721d

SHA1
2804df449ae311043b86d8cba0217ce63cf768da

SHA256
8a6962a41ae31bdee6ff11f318c0d77d0709d8256145adb707b147c3b7a39671

SHA512
ae6185276db991f457055be7b6a91bd205bcdf12b72d7e2d4129cb9fd76324923aa8b247996731f9dfaa39fba19efc1d90c8c28c814ad5678b9f4ad339501b9c

Download Submit
memory/1948-178-0x0000000000320000-0x00000000003A0000-memory.dmp

Filesize
512KB

Download
memory/1948-173-0x0000000000320000-0x00000000003A0000-memory.dmp

Filesize
512KB

Download
memory/4136-133-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/4136-132-0x0000000000F20000-0x0000000000FBA000-memory.dmp

Filesize
616KB

Download
memory/4376-158-0x0000000000600000-0x0000000000680000-memory.dmp

Filesize
512KB

Download
memory/4376-153-0x0000000000600000-0x0000000000680000-memory.dmp

Filesize
512KB

Download
memory/5020-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5020-137-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5020-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5020-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5020-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads