remcos | f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ-064845 2023.exe
Size

1.1MB
MD5

d759962c3a20c3552551519467370d78
SHA1

1d4707360041d977f52a3d5c20b9c5b6d9040e4f
SHA256

f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
SHA512

0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986
SSDEEP

24576:PvKTjt/DH/P74HcMA1d521GsmB7mUY48kv06pO7/2F5:PvK9fP74JAzFmRc06A/2

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.139.105.174:2210

212.193.30.230:6320

212.193.30.230:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-G9FA76
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

704 remcos.exe
2008 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

RFQ-064845 2023.exe

pid process

880 RFQ-064845 2023.exe

pid	process
704	remcos.exe
2008	remcos.exe

pid	process
880	RFQ-064845 2023.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exeRFQ-064845 2023.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RFQ-064845 2023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RFQ-064845 2023.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	RFQ-064845 2023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RFQ-064845 2023.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RFQ-064845 2023.exeremcos.exe

description	pid	process	target process
PID 1736 set thread context of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 704 set thread context of 2008	704	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1884 schtasks.exe
1748 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RFQ-064845 2023.exepowershell.exeremcos.exepowershell.exe

pid process

1736 RFQ-064845 2023.exe
1736 RFQ-064845 2023.exe
1132 powershell.exe
704 remcos.exe
1564 powershell.exe
704 remcos.exe

pid	process
1884	schtasks.exe
1748	schtasks.exe

pid	process
1736	RFQ-064845 2023.exe
1736	RFQ-064845 2023.exe
1132	powershell.exe
704	remcos.exe
1564	powershell.exe
704	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RFQ-064845 2023.exepowershell.exeremcos.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1736	RFQ-064845 2023.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	704	remcos.exe
Token: SeDebugPrivilege	1564	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

2008 remcos.exe

pid	process
2008	remcos.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

RFQ-064845 2023.exeRFQ-064845 2023.exeremcos.exe

description	pid	process	target process
PID 1736 wrote to memory of 1132	1736	RFQ-064845 2023.exe	powershell.exe
PID 1736 wrote to memory of 1132	1736	RFQ-064845 2023.exe	powershell.exe
PID 1736 wrote to memory of 1132	1736	RFQ-064845 2023.exe	powershell.exe
PID 1736 wrote to memory of 1132	1736	RFQ-064845 2023.exe	powershell.exe
PID 1736 wrote to memory of 1884	1736	RFQ-064845 2023.exe	schtasks.exe
PID 1736 wrote to memory of 1884	1736	RFQ-064845 2023.exe	schtasks.exe
PID 1736 wrote to memory of 1884	1736	RFQ-064845 2023.exe	schtasks.exe
PID 1736 wrote to memory of 1884	1736	RFQ-064845 2023.exe	schtasks.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1736 wrote to memory of 880	1736	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 880 wrote to memory of 704	880	RFQ-064845 2023.exe	remcos.exe
PID 880 wrote to memory of 704	880	RFQ-064845 2023.exe	remcos.exe
PID 880 wrote to memory of 704	880	RFQ-064845 2023.exe	remcos.exe
PID 880 wrote to memory of 704	880	RFQ-064845 2023.exe	remcos.exe
PID 704 wrote to memory of 1564	704	remcos.exe	powershell.exe
PID 704 wrote to memory of 1564	704	remcos.exe	powershell.exe
PID 704 wrote to memory of 1564	704	remcos.exe	powershell.exe
PID 704 wrote to memory of 1564	704	remcos.exe	powershell.exe
PID 704 wrote to memory of 1748	704	remcos.exe	schtasks.exe
PID 704 wrote to memory of 1748	704	remcos.exe	schtasks.exe
PID 704 wrote to memory of 1748	704	remcos.exe	schtasks.exe
PID 704 wrote to memory of 1748	704	remcos.exe	schtasks.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe
PID 704 wrote to memory of 2008	704	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-064845 2023.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-064845 2023.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cVVsKeGRDmRZkj.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVVsKeGRDmRZkj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7A4.tmp"
2⤵
- Creates scheduled task(s)
PID:1884

C:\Users\Admin\AppData\Local\Temp\RFQ-064845 2023.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-064845 2023.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:880

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cVVsKeGRDmRZkj.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVVsKeGRDmRZkj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D64.tmp"
4⤵
- Creates scheduled task(s)
PID:1748

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat
Filesize
144B

MD5
849f1d7fed5fbc407f90c4f71841a2b6

SHA1
163086575fe83920b3f3e145715df1068a12bc90

SHA256
a4434d89010c9d9dd39040f27d72e52387ff9ea8b3e485c2a2cd1266e24cc1c2

SHA512
df58cef7067329244f1eaa72e08cfc55f6cc23244bed81bffa46b524a3829e4bc9bd394fdbe29ce98f989318348e90f69573cce4aa3d7c3275eec5343f0b26fd

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D64.tmp
Filesize
1KB

MD5
8b5d15f85c030771cc01e1a31f027034

SHA1
c2045ad59f8ac5c76d9150101275ebce401d1af9

SHA256
0b12eac86d7b6b798caab7645e3d844a56afd2dc92a4d40912e306e8c23dca4c

SHA512
59086dc62ac30e2bcc16296fe18b41541708acc8053aad4c7fa910bd8eabe2f0068a79a7f1112aaf4f13b99c7ace8d3fb22948690ecf8fcea49b4b7d40a750d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7A4.tmp
Filesize
1KB

MD5
8b5d15f85c030771cc01e1a31f027034

SHA1
c2045ad59f8ac5c76d9150101275ebce401d1af9

SHA256
0b12eac86d7b6b798caab7645e3d844a56afd2dc92a4d40912e306e8c23dca4c

SHA512
59086dc62ac30e2bcc16296fe18b41541708acc8053aad4c7fa910bd8eabe2f0068a79a7f1112aaf4f13b99c7ace8d3fb22948690ecf8fcea49b4b7d40a750d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3d53be01faefc49ff5669d30ec13fb96

SHA1
f531621547cd5822a2d85dbf58108b129d0afa22

SHA256
036f3b9e5dcf05de11f56d84ef87f695962465350f0957553765ca3a801ab458

SHA512
5a4f3fcc7b4ee41d6ab4b47067028f1b45e66ba2bf771cf7b1a834605077f5b22539738d29a3945604a17fd3b367231764697dac17cb7d656310d51949a7f35e

Download Submit
\ProgramData\Remcos\remcos.exe
Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
memory/704-91-0x00000000042D0000-0x0000000004310000-memory.dmp

Filesize
256KB

Download
memory/704-90-0x00000000042D0000-0x0000000004310000-memory.dmp

Filesize
256KB

Download
memory/704-88-0x0000000000090000-0x00000000001A6000-memory.dmp

Filesize
1.1MB

Download
memory/880-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/880-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1132-89-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1132-67-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1564-119-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1564-121-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1564-120-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1736-66-0x0000000005AF0000-0x0000000005B70000-memory.dmp

Filesize
512KB

Download
memory/1736-58-0x0000000005730000-0x0000000005824000-memory.dmp

Filesize
976KB

Download
memory/1736-57-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/1736-55-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/1736-56-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download
memory/1736-54-0x0000000000B50000-0x0000000000C66000-memory.dmp

Filesize
1.1MB

Download
memory/2008-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-116-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-115-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-114-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2008-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download