remcos | a65de678bfc68fa18936e353ba96fed7f00134a30ead01a45f88e10adb33be9b

Analysis

max time kernel
150s
max time network
105s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-03-2023 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

490KB
MD5

e71210a8cb9a16fe0b777e20ab8750cf
SHA1

16ed028a56c4a6b008f66062e574664020cf1d30
SHA256

a65de678bfc68fa18936e353ba96fed7f00134a30ead01a45f88e10adb33be9b
SHA512

6fa9b47082d9212f669563806108e682fda1fdd71b343e21fd93e2163512024d560524bf2b8ebde927035447d85ca0ce8aa925b6b216c0dcb38743b2ea3e42ab
SSDEEP

12288:OYyF6L25vWOfQqxa0snt/Rt/04kRVCkv2ey9bdA6NT1:OYyIKNWOYqxZstkXRVCk+B9a6NB

Score

10^/10

remcos first-send persistence rat

Malware Config

Extracted

Family

remcos

Botnet

First-Send

top.not4abuse1.xyz:1558

sub.not4abuse1.xyz:1558

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmcs
mouse_option
false
mutex
Rmc-4RNJ4J
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
20
startup_value
Remcos
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Mail;Payment;Bank

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

accpwujww.exeaccpwujww.exe

pid process

1732 accpwujww.exe
576 accpwujww.exe
Loads dropped DLL 3 IoCs

Processes:

tmp.exeaccpwujww.exe

pid process

1300 tmp.exe
1300 tmp.exe
1732 accpwujww.exe

pid	process
1732	accpwujww.exe
576	accpwujww.exe

pid	process
1300	tmp.exe
1300	tmp.exe
1732	accpwujww.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

accpwujww.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfvagnchfieng = "C:\\Users\\Admin\\AppData\\Roaming\\vqbyhielrdllo\\hjsxhyymsvw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\accpwujww.exe\" C:\\Users\\Admin\\AppD"	accpwujww.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

accpwujww.exe

description pid process target process

PID 1732 set thread context of 576 1732 accpwujww.exe accpwujww.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

accpwujww.exe

pid process

1732 accpwujww.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

accpwujww.exe

pid process

576 accpwujww.exe

description	pid	process	target process
PID 1732 set thread context of 576	1732	accpwujww.exe	accpwujww.exe

pid	process
1732	accpwujww.exe

pid	process
576	accpwujww.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.exeaccpwujww.exe

description	pid	process	target process
PID 1300 wrote to memory of 1732	1300	tmp.exe	accpwujww.exe
PID 1300 wrote to memory of 1732	1300	tmp.exe	accpwujww.exe
PID 1300 wrote to memory of 1732	1300	tmp.exe	accpwujww.exe
PID 1300 wrote to memory of 1732	1300	tmp.exe	accpwujww.exe
PID 1732 wrote to memory of 576	1732	accpwujww.exe	accpwujww.exe
PID 1732 wrote to memory of 576	1732	accpwujww.exe	accpwujww.exe
PID 1732 wrote to memory of 576	1732	accpwujww.exe	accpwujww.exe
PID 1732 wrote to memory of 576	1732	accpwujww.exe	accpwujww.exe
PID 1732 wrote to memory of 576	1732	accpwujww.exe	accpwujww.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
"C:\Users\Admin\AppData\Local\Temp\accpwujww.exe" C:\Users\Admin\AppData\Local\Temp\whgyqbmwow.k
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
"C:\Users\Admin\AppData\Local\Temp\accpwujww.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rmcs\logs.dat
Filesize
144B

MD5
75fcbd4f0046386746560014d32bcaa5

SHA1
d7c5a983d7260fc4155ab188c198f11282502885

SHA256
f5028020fa8113b31df7229e6e7a1b57ed864f466235a265e1e162f67b10e18c

SHA512
d7138cf2a5deba9cec5130e1968b324250c5619516bc9bb310b2468c53e679fdca87aea1db7eab74260ddcf606e7b4ddf53fb9e098117905e4bb566aaed5939c

Download Submit
C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzqeznlmgbv.nua
Filesize
495KB

MD5
7871964204bbe6aad682859785968397

SHA1
13e83bf6a1bac3f1779610f4ac47235cd47bb9b4

SHA256
b41f8b955f6f159ff0d5065d855d89d5528f5a27f0d06c5d15748ad62c2d71da

SHA512
85b87885ab152d667cc0df2626275ada680224d4c8d686e985d578fed12be524215bb8392528af818b734b2f994979893b44e6694863fe2976959960f7f280ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\whgyqbmwow.k
Filesize
7KB

MD5
efd98d26091eabe73cae73972699c29e

SHA1
2b9d4cc399b13d10fe7ddc1cb84df4145c4b7ed4

SHA256
c7a7d9d6aacbce80718605b692fe8c5e13cf3410c1e2ab44ff979a790c918e54

SHA512
718a5efffa704ad2bc38a06fbfb749cef018c86177e5de91574b3a5593a303f8a2b0320ba1db16e96f4ba2d331976938e3a399f0e1031d00646eacebfee82bc7

Download Submit
\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
memory/576-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-103-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-106-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-113-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-116-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/576-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download