remcos | f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ-064845 2023.exe
Size

1.1MB
MD5

d759962c3a20c3552551519467370d78
SHA1

1d4707360041d977f52a3d5c20b9c5b6d9040e4f
SHA256

f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
SHA512

0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986
SSDEEP

24576:PvKTjt/DH/P74HcMA1d521GsmB7mUY48kv06pO7/2F5:PvK9fP74JAzFmRc06A/2

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.139.105.174:2210

212.193.30.230:6320

212.193.30.230:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-G9FA76
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1704 remcos.exe
988 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

RFQ-064845 2023.exe

pid process

1428 RFQ-064845 2023.exe

pid	process
1704	remcos.exe
988	remcos.exe

pid	process
1428	RFQ-064845 2023.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ-064845 2023.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RFQ-064845 2023.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	RFQ-064845 2023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RFQ-064845 2023.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RFQ-064845 2023.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RFQ-064845 2023.exeremcos.exe

description	pid	process	target process
PID 308 set thread context of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1704 set thread context of 988	1704	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1912 schtasks.exe
584 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RFQ-064845 2023.exepowershell.exeremcos.exepowershell.exe

pid process

308 RFQ-064845 2023.exe
308 RFQ-064845 2023.exe
112 powershell.exe
1704 remcos.exe
2008 powershell.exe
1704 remcos.exe

pid	process
1912	schtasks.exe
584	schtasks.exe

pid	process
308	RFQ-064845 2023.exe
308	RFQ-064845 2023.exe
112	powershell.exe
1704	remcos.exe
2008	powershell.exe
1704	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RFQ-064845 2023.exepowershell.exeremcos.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	308	RFQ-064845 2023.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	1704	remcos.exe
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

988 remcos.exe

pid	process
988	remcos.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

RFQ-064845 2023.exeRFQ-064845 2023.exeremcos.exe

description	pid	process	target process
PID 308 wrote to memory of 112	308	RFQ-064845 2023.exe	powershell.exe
PID 308 wrote to memory of 112	308	RFQ-064845 2023.exe	powershell.exe
PID 308 wrote to memory of 112	308	RFQ-064845 2023.exe	powershell.exe
PID 308 wrote to memory of 112	308	RFQ-064845 2023.exe	powershell.exe
PID 308 wrote to memory of 584	308	RFQ-064845 2023.exe	schtasks.exe
PID 308 wrote to memory of 584	308	RFQ-064845 2023.exe	schtasks.exe
PID 308 wrote to memory of 584	308	RFQ-064845 2023.exe	schtasks.exe
PID 308 wrote to memory of 584	308	RFQ-064845 2023.exe	schtasks.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 308 wrote to memory of 1428	308	RFQ-064845 2023.exe	RFQ-064845 2023.exe
PID 1428 wrote to memory of 1704	1428	RFQ-064845 2023.exe	remcos.exe
PID 1428 wrote to memory of 1704	1428	RFQ-064845 2023.exe	remcos.exe
PID 1428 wrote to memory of 1704	1428	RFQ-064845 2023.exe	remcos.exe
PID 1428 wrote to memory of 1704	1428	RFQ-064845 2023.exe	remcos.exe
PID 1704 wrote to memory of 2008	1704	remcos.exe	powershell.exe
PID 1704 wrote to memory of 2008	1704	remcos.exe	powershell.exe
PID 1704 wrote to memory of 2008	1704	remcos.exe	powershell.exe
PID 1704 wrote to memory of 2008	1704	remcos.exe	powershell.exe
PID 1704 wrote to memory of 1912	1704	remcos.exe	schtasks.exe
PID 1704 wrote to memory of 1912	1704	remcos.exe	schtasks.exe
PID 1704 wrote to memory of 1912	1704	remcos.exe	schtasks.exe
PID 1704 wrote to memory of 1912	1704	remcos.exe	schtasks.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe
PID 1704 wrote to memory of 988	1704	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-064845 2023.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-064845 2023.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cVVsKeGRDmRZkj.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVVsKeGRDmRZkj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp"
2⤵
- Creates scheduled task(s)
PID:584

C:\Users\Admin\AppData\Local\Temp\RFQ-064845 2023.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-064845 2023.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cVVsKeGRDmRZkj.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVVsKeGRDmRZkj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp694F.tmp"
4⤵
- Creates scheduled task(s)
PID:1912

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
608cbf37c7530f12abb8ce2c0084ea3e

SHA1
63feecb4f93ab4f6487d63969bd326e6b7affd36

SHA256
39e5f2b39a481071c640188faef772e29b0c2eaf4601b07097480f90dc6cd681

SHA512
f6e29bb819052ce6f81b88c3e4053d36dc933f5ed494916b489f5c67529243221c7e176d376a06b139e5100ce138d2cfcae76f5deb98514f5738cf9f5816059c

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp694F.tmp

Filesize
1KB

MD5
8b5d15f85c030771cc01e1a31f027034

SHA1
c2045ad59f8ac5c76d9150101275ebce401d1af9

SHA256
0b12eac86d7b6b798caab7645e3d844a56afd2dc92a4d40912e306e8c23dca4c

SHA512
59086dc62ac30e2bcc16296fe18b41541708acc8053aad4c7fa910bd8eabe2f0068a79a7f1112aaf4f13b99c7ace8d3fb22948690ecf8fcea49b4b7d40a750d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC2D3.tmp

Filesize
1KB

MD5
8b5d15f85c030771cc01e1a31f027034

SHA1
c2045ad59f8ac5c76d9150101275ebce401d1af9

SHA256
0b12eac86d7b6b798caab7645e3d844a56afd2dc92a4d40912e306e8c23dca4c

SHA512
59086dc62ac30e2bcc16296fe18b41541708acc8053aad4c7fa910bd8eabe2f0068a79a7f1112aaf4f13b99c7ace8d3fb22948690ecf8fcea49b4b7d40a750d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0b8bc498d735acbcbe66b6763fef6c4b

SHA1
511f744381956197dc3a6d3f3ab7d7ec7955d3a8

SHA256
a008d85173d0491fe55330137fd24af5f6b19d199d3725679f20025c49367d90

SHA512
e37842a6fc63711877fa5f0fc0fc482bee44a849cc04315e6b1425106eefdb34c9ee50fdbb7461c18ed4ab2fb079ca6eefc55516266692feb59135b704fc0a9f

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
d759962c3a20c3552551519467370d78

SHA1
1d4707360041d977f52a3d5c20b9c5b6d9040e4f

SHA256
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54

SHA512
0ef38d8d1f712595e13ba273bb8b40791fc6ff767eab203878b447a49bb3b83b6781a1b02afc1c866fee3c2d0a070796caa5c4524ba0d17b57027fe9372a6986

Download Submit
memory/112-93-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/112-90-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/112-91-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/308-54-0x0000000001220000-0x0000000001336000-memory.dmp

Filesize
1.1MB

Download
memory/308-57-0x0000000004C50000-0x0000000004C90000-memory.dmp

Filesize
256KB

Download
memory/308-58-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/308-59-0x0000000005870000-0x0000000005964000-memory.dmp

Filesize
976KB

Download
memory/308-56-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/308-65-0x0000000005C10000-0x0000000005C90000-memory.dmp

Filesize
512KB

Download
memory/308-55-0x0000000004C50000-0x0000000004C90000-memory.dmp

Filesize
256KB

Download
memory/988-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/988-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-114-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/988-115-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1428-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1428-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1704-89-0x0000000000B50000-0x0000000000C66000-memory.dmp

Filesize
1.1MB

Download
memory/1704-94-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download
memory/1704-92-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download