remcos | 31e81d4201fec97127d8f8deffb64c25a76825d6c68fab083775e7197baa0956

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hesaphareketi-01.PDF.exe
Size

500KB
MD5

826532ae78986d3b52639e72b1ac0e01
SHA1

bf5d6199c99e22e947595687af9b89954e2a6e37
SHA256

31e81d4201fec97127d8f8deffb64c25a76825d6c68fab083775e7197baa0956
SHA512

a1c8899bc1edd4587571130ea382b93adaa0bcc02f92a122a7e60343cc70aaf119a5d9c3a47baa5ae526dd12b69c451de42781ddd894876a80ca22b505f9397b
SSDEEP

12288:JYkYar2AbX18zFRBXKz6u1pSpGLyfeXLl3UU70:JYkYYi5K6u1pmEkeXLhA

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ennenbach.duckdns.org:5800

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LDLQM0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

noptbru.exenoptbru.exe

pid process

876 noptbru.exe
436 noptbru.exe
Loads dropped DLL 3 IoCs

Processes:

hesaphareketi-01.PDF.exenoptbru.exe

pid process

2008 hesaphareketi-01.PDF.exe
2008 hesaphareketi-01.PDF.exe
876 noptbru.exe

pid	process
876	noptbru.exe
436	noptbru.exe

pid	process
2008	hesaphareketi-01.PDF.exe
2008	hesaphareketi-01.PDF.exe
876	noptbru.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

noptbru.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmirn = "C:\\Users\\Admin\\AppData\\Roaming\\pienwscxhq\\mvfbkfoxt.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\noptbru.exe\" C:\\Users\\Admin\\AppData\\Loc"	noptbru.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

noptbru.exenoptbru.exe

description	pid	process	target process
PID 876 set thread context of 436	876	noptbru.exe	noptbru.exe
PID 436 set thread context of 1780	436	noptbru.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

816 1780 WerFault.exe svchost.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

noptbru.exenoptbru.exe

pid process

876 noptbru.exe
436 noptbru.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

noptbru.exe

pid process

436 noptbru.exe

pid	pid_target	process	target process
816	1780	WerFault.exe	svchost.exe

pid	process
876	noptbru.exe
436	noptbru.exe

pid	process
436	noptbru.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

hesaphareketi-01.PDF.exenoptbru.exenoptbru.exesvchost.exe

description	pid	process	target process
PID 2008 wrote to memory of 876	2008	hesaphareketi-01.PDF.exe	noptbru.exe
PID 2008 wrote to memory of 876	2008	hesaphareketi-01.PDF.exe	noptbru.exe
PID 2008 wrote to memory of 876	2008	hesaphareketi-01.PDF.exe	noptbru.exe
PID 2008 wrote to memory of 876	2008	hesaphareketi-01.PDF.exe	noptbru.exe
PID 876 wrote to memory of 436	876	noptbru.exe	noptbru.exe
PID 876 wrote to memory of 436	876	noptbru.exe	noptbru.exe
PID 876 wrote to memory of 436	876	noptbru.exe	noptbru.exe
PID 876 wrote to memory of 436	876	noptbru.exe	noptbru.exe
PID 876 wrote to memory of 436	876	noptbru.exe	noptbru.exe
PID 436 wrote to memory of 1780	436	noptbru.exe	svchost.exe
PID 436 wrote to memory of 1780	436	noptbru.exe	svchost.exe
PID 436 wrote to memory of 1780	436	noptbru.exe	svchost.exe
PID 436 wrote to memory of 1780	436	noptbru.exe	svchost.exe
PID 436 wrote to memory of 1780	436	noptbru.exe	svchost.exe
PID 1780 wrote to memory of 816	1780	svchost.exe	WerFault.exe
PID 1780 wrote to memory of 816	1780	svchost.exe	WerFault.exe
PID 1780 wrote to memory of 816	1780	svchost.exe	WerFault.exe
PID 1780 wrote to memory of 816	1780	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\noptbru.exe
  "C:\Users\Admin\AppData\Local\Temp\noptbru.exe" C:\Users\Admin\AppData\Local\Temp\xzylabr.dxy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\noptbru.exe
    "C:\Users\Admin\AppData\Local\Temp\noptbru.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 228
        5⤵
        Program crash
        
        PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
180B

MD5
089f11c888fc8c3b6289e3628de3676e

SHA1
762695cad0330e88b16c7ebd30adc1d90dd40817

SHA256
0901ef2a4c821342bd3dc026b73ba8c3f2b77ae5e27fae2f75f9ac1520c90d17

SHA512
f0ad66b4a173be9b74ecbda5a5fe3cfef10c8ffa8c01e5ce1e0e51c1ab2e8554cd94cc2aedbca965342abec3365f8d42b2a457831526700b8c3f31292c92fa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
C:\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
C:\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
C:\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
C:\Users\Admin\AppData\Local\Temp\tawbgsphp.jp

Filesize
496KB

MD5
eb65ab25be5e6ae467114cf52af2c960

SHA1
77966fcf2e5b5a614cbe3e43df55ea7c4a99b326

SHA256
2d429d11f4fa136c4fa31759f1130ef91a83703edcd296ac4c55267c4152f4e6

SHA512
da49e6bd7a576f550c5bc2d34ac171e964b018e0a0514d0a3e16ed4b9de29d4a428c75307944efd66f6be5d3bce7bfcd2d291103ed3905e5a295bc204d9164c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzylabr.dxy

Filesize
8KB

MD5
14c7f8b84044e72cc164b943ccc80e5c

SHA1
de3c33dec85795fc1abcbb9860f22049cc22d724

SHA256
50310fd5f742199d40cd603841348b1753660ab807afcc1d9fd0ce91d593700e

SHA512
d9fd743b9c27194cb92410d15ee731d4cc3af999c1b55878cf58fa9b6d44fe106ed82f29391b9428975084d7f4d12611b6138d0d26f56dd17765b8cdb256c504

Download Submit
\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
memory/436-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-114-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-103-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-104-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-108-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-113-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-116-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-137-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-138-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/436-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/876-68-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/1780-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1780-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1780-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1780-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download