remcos | 76ae3d68c006008d6d237769a0ab408edf20cbfcf24f88e9b0c63bfcb3ea2361

General

Target

Payment Advice PDF.exe
Size

1.3MB
MD5

7d1b368b04bece7395883bb3dc90481e
SHA1

8976972ab8195ac3e79634aa9d28a20dccb0b106
SHA256

d0844c9284d7db4a8b6e89fbf776c8f0490e1fc235e0ad30895a0d24b0006b5a
SHA512

93a4e00f6d4e84b97a8b6ebdf2546bff76477e6e283276bb95ce93e630b51bdb561cc92c28f5004d45313f5c9940431939c5faf9ad4290ebdd15b35364f41cda
SSDEEP

24576:dlpDTpqwq0ERbrZUBdm4LYCRe2p0wMYe5P:d7URV3ZExLYCA2p0wMYex

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Payment Advice PDF.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 2260	4884	Payment Advice PDF.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4884	Payment Advice PDF.exe
4884	Payment Advice PDF.exe
4884	Payment Advice PDF.exe
4884	Payment Advice PDF.exe
4884	Payment Advice PDF.exe
4884	Payment Advice PDF.exe
4276	powershell.exe
2896	powershell.exe
4884	Payment Advice PDF.exe
2896	powershell.exe
4276	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	Payment Advice PDF.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2260	Payment Advice PDF.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2896	4884	Payment Advice PDF.exe	91
PID 4884 wrote to memory of 2896	4884	Payment Advice PDF.exe	91
PID 4884 wrote to memory of 2896	4884	Payment Advice PDF.exe	91
PID 4884 wrote to memory of 4276	4884	Payment Advice PDF.exe	93
PID 4884 wrote to memory of 4276	4884	Payment Advice PDF.exe	93
PID 4884 wrote to memory of 4276	4884	Payment Advice PDF.exe	93
PID 4884 wrote to memory of 4416	4884	Payment Advice PDF.exe	95
PID 4884 wrote to memory of 4416	4884	Payment Advice PDF.exe	95
PID 4884 wrote to memory of 4416	4884	Payment Advice PDF.exe	95
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97
PID 4884 wrote to memory of 2260	4884	Payment Advice PDF.exe	97

C:\Users\Admin\AppData\Local\Temp\Payment Advice PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice PDF.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TVrCJoJLYtE.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TVrCJoJLYtE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4798.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\Payment Advice PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Advice PDF.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4fd3d03121f5de4ae13d01d05a7280de

SHA1
a40839f75f22ae86393bba428ab7ada833bfcb53

SHA256
f75905b9932417647c0c299067e2e9c178b41bd7c429f57bf69f448f89398c80

SHA512
e6af32f722a0348f1cbc09cad97aa23ee7f722e5164aaca727c65c3a10ef907b5738c0f392034debe207139a1143f8db9c7da929d80536a7c1cce948d57c6fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4798.tmp

Filesize
1KB

MD5
af4dc59971d1a8046735c4bc052bd159

SHA1
c01be67c92dd2ee20d0a7090dd60087ee0849919

SHA256
76bf36834d37456e2a26478965eefcb576eba9eace8faaf8e492f2d69a8efc3d

SHA512
3eb92a21bb26fb4b42ee15bfba283e93ec5264a4cca4e5293602364b15b67047955c9c68aae4d26f35930e748296617c5db16004c855b8e151d46da7d6803793

Download Submit
memory/2260-166-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-147-0x0000000000000000-mapping.dmp

Download
memory/2896-140-0x00000000026A0000-0x00000000026D6000-memory.dmp

Filesize
216KB

Download
memory/2896-160-0x0000000007530000-0x00000000075C6000-memory.dmp

Filesize
600KB

Download
memory/2896-161-0x00000000074E0000-0x00000000074EE000-memory.dmp

Filesize
56KB

Download
memory/2896-142-0x00000000051D0000-0x00000000057F8000-memory.dmp

Filesize
6.2MB

Download
memory/2896-146-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/2896-158-0x00000000072B0000-0x00000000072CA000-memory.dmp

Filesize
104KB

Download
memory/2896-153-0x0000000006F60000-0x0000000006F92000-memory.dmp

Filesize
200KB

Download
memory/2896-155-0x0000000075230000-0x000000007527C000-memory.dmp

Filesize
304KB

Download
memory/2896-138-0x0000000000000000-mapping.dmp

Download
memory/2896-151-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/4276-163-0x0000000007F10000-0x0000000007F18000-memory.dmp

Filesize
32KB

Download
memory/4276-157-0x0000000008230000-0x00000000088AA000-memory.dmp

Filesize
6.5MB

Download
memory/4276-154-0x0000000075230000-0x000000007527C000-memory.dmp

Filesize
304KB

Download
memory/4276-139-0x0000000000000000-mapping.dmp

Download
memory/4276-159-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/4276-156-0x0000000006E90000-0x0000000006EAE000-memory.dmp

Filesize
120KB

Download
memory/4276-162-0x0000000007F30000-0x0000000007F4A000-memory.dmp

Filesize
104KB

Download
memory/4276-145-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4276-143-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/4416-141-0x0000000000000000-mapping.dmp

Download
memory/4884-132-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/4884-136-0x0000000005B10000-0x0000000005CB6000-memory.dmp

Filesize
1.6MB

Download
memory/4884-137-0x00000000090D0000-0x000000000916C000-memory.dmp

Filesize
624KB

Download
memory/4884-135-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download
memory/4884-134-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/4884-133-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads