remcos | f43613d50b4be7751381af8f76cf24e074aadf65cd47bb5de2b741fb849969c9

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/03/2023, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185f4cbd3504598289c13a4d41086c3f.exe
Size

1.0MB
MD5

185f4cbd3504598289c13a4d41086c3f
SHA1

a851aac13291785dd86100431964bc90bab2ed91
SHA256

f43613d50b4be7751381af8f76cf24e074aadf65cd47bb5de2b741fb849969c9
SHA512

bdab1fc6f6a9f23bb6485c2381768034199348032efcf06e7bf096187c53f190e556672e84702837f02c15e2c1886c6339b9db7111f8c73c1023efa793e2db6d
SSDEEP

12288:vVxwJeGjv1K8tUyZmMRxEy0gT5H9wnZwGtM+8ZJqDSLuDvtuKey8u6xH7Raovltl:PwJP+nZvtM+q5AtuK4VB73kkuod

Score

10^/10

remcos juanfer rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

JUANFER

juanferandresdaza.con-ip.com:1014

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-SAI4CG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Family

remcos

Botnet

JUANFER

juanferandresdaza.con-ip.com:1014

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-SAI4CG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1744	185f4cbd3504598289c13a4d41086c3f.exe
1744	185f4cbd3504598289c13a4d41086c3f.exe
520	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	185f4cbd3504598289c13a4d41086c3f.exe
Token: SeDebugPrivilege	520	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
812	RegSvcs.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 520	1744	185f4cbd3504598289c13a4d41086c3f.exe	28
PID 1744 wrote to memory of 520	1744	185f4cbd3504598289c13a4d41086c3f.exe	28
PID 1744 wrote to memory of 520	1744	185f4cbd3504598289c13a4d41086c3f.exe	28
PID 1744 wrote to memory of 520	1744	185f4cbd3504598289c13a4d41086c3f.exe	28
PID 1744 wrote to memory of 1516	1744	185f4cbd3504598289c13a4d41086c3f.exe	30
PID 1744 wrote to memory of 1516	1744	185f4cbd3504598289c13a4d41086c3f.exe	30
PID 1744 wrote to memory of 1516	1744	185f4cbd3504598289c13a4d41086c3f.exe	30
PID 1744 wrote to memory of 1516	1744	185f4cbd3504598289c13a4d41086c3f.exe	30
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32
PID 1744 wrote to memory of 812	1744	185f4cbd3504598289c13a4d41086c3f.exe	32

C:\Users\Admin\AppData\Local\Temp\185f4cbd3504598289c13a4d41086c3f.exe
"C:\Users\Admin\AppData\Local\Temp\185f4cbd3504598289c13a4d41086c3f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hrRrNvSBcn.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hrRrNvSBcn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE4A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAE4A.tmp

Filesize
1KB

MD5
dc1755603c825fafd96be840f58ccf67

SHA1
ff8648c6e27613e5a1c0cbcb19541e58547c3696

SHA256
f87accc8cba2b540225d85ab9eafdf30db1066235e3b32674917983ae4e7274e

SHA512
567b21bf3a2bd51f012ec43072a4ce76c862b6bd9fa953e7205165e922f128f6cacc7ac9799ddca18f565985cc92fdfe19423ef2075005937935988eb9dff23d

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
ff7451077e3feeeed30341057609c601

SHA1
4582a0d0c279a39715208eeb78a44a65fb4fd984

SHA256
09bfb01deb0669d34e3884053d7fc7af1ffc66e195e2fbfddf61006a35df5c70

SHA512
fdfdebc1a02dc7161edc6a7e3a9ac42f63b87e21992e1079ea60919bcaab7c70f13b74826dc33efe3ff077831da32b036800222af63bae17a96846c18b2885a8

Download Submit
memory/520-89-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/520-87-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/520-69-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/812-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/812-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-118-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-117-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-105-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-94-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-96-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-97-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-98-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-102-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-93-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-106-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-108-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-110-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-111-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-112-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1744-55-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/1744-59-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download
memory/1744-56-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/1744-54-0x0000000000850000-0x0000000000956000-memory.dmp

Filesize
1.0MB

Download
memory/1744-57-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/1744-58-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1744-68-0x0000000004D10000-0x0000000004D38000-memory.dmp

Filesize
160KB

Download
memory/1744-65-0x0000000004BE0000-0x0000000004BE6000-memory.dmp

Filesize
24KB

Download