remcos | 3bfdf3a12d5a07c43b210b633df6fbdcd5b2f020b30376b4aa450f79d02e511f

General

Target

Order Specification PDF.exe
Size

917KB
MD5

01a79d7d8926e913bce1218c60f65ef0
SHA1

23f333779045ebaf0e2982ce27e9c45518187df9
SHA256

56fc6644385db6a7e927858e276af6f8e6a33302f82bde48633975ba452954a2
SHA512

0c6c3706c704b1bcb9d2a8c5fa5c363c31d40ba854bf1b761b2585c4edb2b0aefddf51ecc720eb1b0b01d5e442d8647eba21856e49e2478533b4b9ffa98a96a2
SSDEEP

24576:WyOVQiM5+tLYjcggbvs5ApLcPKtqg0YJe1Y:WLQR+tLYotzFLcPpYJ4

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order Specification PDF.exe

description pid process target process

PID 2044 set thread context of 1204 2044 Order Specification PDF.exe Order Specification PDF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Order Specification PDF.exe

pid process

2044 Order Specification PDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Order Specification PDF.exe

description pid process

Token: SeDebugPrivilege 2044 Order Specification PDF.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Order Specification PDF.exe

pid process

1204 Order Specification PDF.exe

description	pid	process	target process
PID 2044 set thread context of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe

pid	process
976	schtasks.exe

pid	process
2044	Order Specification PDF.exe

description	pid	process
Token: SeDebugPrivilege	2044	Order Specification PDF.exe

pid	process
1204	Order Specification PDF.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Order Specification PDF.exe

description	pid	process	target process
PID 2044 wrote to memory of 976	2044	Order Specification PDF.exe	schtasks.exe
PID 2044 wrote to memory of 976	2044	Order Specification PDF.exe	schtasks.exe
PID 2044 wrote to memory of 976	2044	Order Specification PDF.exe	schtasks.exe
PID 2044 wrote to memory of 976	2044	Order Specification PDF.exe	schtasks.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe
PID 2044 wrote to memory of 1204	2044	Order Specification PDF.exe	Order Specification PDF.exe

C:\Users\Admin\AppData\Local\Temp\Order Specification PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxWuTeaXQSo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAEC7.tmp"
2⤵
- Creates scheduled task(s)
PID:976

C:\Users\Admin\AppData\Local\Temp\Order Specification PDF.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
ae966025d98a923f5db3a087294352e6

SHA1
c4191c5a29f94cb3af2985cbb7f74fbb12d5fa16

SHA256
876b2edfef5e2895853a18f32fc2fe15e5cf4f3dbaa655bd17e49daace3c78e0

SHA512
3f6c30aee4dd70c6a14b40d7fd5032c2c9f54a62dae302e3b62445f489de2623237a9ad1eed583b83346c37d537b7bd0d6dc5a1b2645095b9409a44e7e25eec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEC7.tmp

Filesize
1KB

MD5
18de5989a5d1cb3b63a7f2a3ab23cd3e

SHA1
3e5bae86c87a31ef968b3f9fe299f1906c0fb5c6

SHA256
a78d35af7f100466a37fe1e9e954fdc112ef40e3ac97fbd32e72ec96406fd152

SHA512
7852ef2946987ffa0976558fef4accb4b613725a2413eee6ca0ba6f0bca509b4b8a9bf0093ad66be78ee18955e771897f969568c59801d9bc7f85442d7b6c64c

Download Submit
memory/1204-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-103-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1204-105-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-55-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2044-57-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2044-58-0x00000000054C0000-0x0000000005582000-memory.dmp

Filesize
776KB

Download
memory/2044-56-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2044-59-0x0000000005290000-0x000000000530E000-memory.dmp

Filesize
504KB

Download
memory/2044-54-0x0000000000FC0000-0x00000000010AC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads