remcos | 3fa0a1d295887bbf530fdec6ba6ad140b8a185507a630fdb12bff7f0cdf355ae

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2023, 14:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revised Purchase Order.exe
Size

534KB
MD5

7a904d47ee91783b4ff379093ddb333b
SHA1

a2d467355cc2933b1986eba160420ac38997a5f6
SHA256

3fa0a1d295887bbf530fdec6ba6ad140b8a185507a630fdb12bff7f0cdf355ae
SHA512

e64483cf8a9e5940d9274ee1f580852f4b6c85d25395a81a5c8169d6a2326ece4f3f45bcd6a98c4c59658b8b6b8d9f495016c4b98049f35e9a27b75a85b3e5c5
SSDEEP

12288:X3D1eItkatK3CYLfTVJiqubs5X1SVE8kJ4Km1BQ1jcLP:5BlYSYLBJiPbsSRkJ4KmfwQP

Score

10^/10

remcos ramsuup persistence rat

Malware Config

Extracted

Family

remcos

Botnet

ramsuup

194.147.140.197:34574

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
ramsuup.exe
copy_folder
ramsuup
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HFU2GV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ramsuup
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Revised Purchase Order.exe

Executes dropped EXE 2 IoCs

pid	Process
2432	ramsuup.exe
4396	ramsuup.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ramsuup = "\"C:\\Users\\Admin\\AppData\\Roaming\\ramsuup\\ramsuup.exe\""	ramsuup.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Revised Purchase Order.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ramsuup = "\"C:\\Users\\Admin\\AppData\\Roaming\\ramsuup\\ramsuup.exe\""	Revised Purchase Order.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Revised Purchase Order.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ramsuup = "\"C:\\Users\\Admin\\AppData\\Roaming\\ramsuup\\ramsuup.exe\""	Revised Purchase Order.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ramsuup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ramsuup = "\"C:\\Users\\Admin\\AppData\\Roaming\\ramsuup\\ramsuup.exe\""	ramsuup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	ramsuup.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 5116	3368	Revised Purchase Order.exe	82
PID 2432 set thread context of 4396	2432	ramsuup.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4396	ramsuup.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 3368 wrote to memory of 5116	3368	Revised Purchase Order.exe	82
PID 5116 wrote to memory of 2432	5116	Revised Purchase Order.exe	83
PID 5116 wrote to memory of 2432	5116	Revised Purchase Order.exe	83
PID 5116 wrote to memory of 2432	5116	Revised Purchase Order.exe	83
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84
PID 2432 wrote to memory of 4396	2432	ramsuup.exe	84

C:\Users\Admin\AppData\Local\Temp\Revised Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\Revised Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Revised Purchase Order.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Roaming\ramsuup\ramsuup.exe
    "C:\Users\Admin\AppData\Roaming\ramsuup\ramsuup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Roaming\ramsuup\ramsuup.exe
      "C:\Users\Admin\AppData\Roaming\ramsuup\ramsuup.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:4396

Network

DNS

geoplugin.net

ramsuup.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

ramsuup.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Tue, 14 Feb 2023 14:20:00 GMT
server: Apache
content-length: 930
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
DNS

96.108.152.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.108.152.52.in-addr.arpa

IN PTR

Response

194.147.140.197:34574

tls

ramsuup.exe

3.2kB
1.5kB
13
16
178.237.33.50:80

http://geoplugin.net/json.gp

http

ramsuup.exe

623 B
1.3kB
12
3

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200
20.189.173.15:443

322 B
7
178.79.208.1:80

322 B
7
178.79.208.1:80

322 B
7
178.79.208.1:80

322 B
7
93.184.221.240:80

322 B
7
204.79.197.200:443

www.bing.com

tls, https

3.1kB
8.4kB
19
16

8.8.8.8:53

geoplugin.net

dns

ramsuup.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50
8.8.8.8:53

96.108.152.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

96.108.152.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ramsuup\ramsuup.exe

Filesize
534KB

MD5
7a904d47ee91783b4ff379093ddb333b

SHA1
a2d467355cc2933b1986eba160420ac38997a5f6

SHA256
3fa0a1d295887bbf530fdec6ba6ad140b8a185507a630fdb12bff7f0cdf355ae

SHA512
e64483cf8a9e5940d9274ee1f580852f4b6c85d25395a81a5c8169d6a2326ece4f3f45bcd6a98c4c59658b8b6b8d9f495016c4b98049f35e9a27b75a85b3e5c5

Download Submit
C:\Users\Admin\AppData\Roaming\ramsuup\ramsuup.exe

Filesize
534KB

MD5
7a904d47ee91783b4ff379093ddb333b

SHA1
a2d467355cc2933b1986eba160420ac38997a5f6

SHA256
3fa0a1d295887bbf530fdec6ba6ad140b8a185507a630fdb12bff7f0cdf355ae

SHA512
e64483cf8a9e5940d9274ee1f580852f4b6c85d25395a81a5c8169d6a2326ece4f3f45bcd6a98c4c59658b8b6b8d9f495016c4b98049f35e9a27b75a85b3e5c5

Download Submit
C:\Users\Admin\AppData\Roaming\ramsuup\ramsuup.exe

Filesize
534KB

MD5
7a904d47ee91783b4ff379093ddb333b

SHA1
a2d467355cc2933b1986eba160420ac38997a5f6

SHA256
3fa0a1d295887bbf530fdec6ba6ad140b8a185507a630fdb12bff7f0cdf355ae

SHA512
e64483cf8a9e5940d9274ee1f580852f4b6c85d25395a81a5c8169d6a2326ece4f3f45bcd6a98c4c59658b8b6b8d9f495016c4b98049f35e9a27b75a85b3e5c5

Download Submit
memory/3368-133-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/3368-134-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/3368-132-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/4396-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4396-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4396-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4396-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5116-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5116-138-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5116-137-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5116-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5116-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.