remcos | 44a755ff3e39ab7289f79d9073d7658441fa45711ae53aaeffc86c587f4285f5

Analysis

max time kernel
148s
max time network
128s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe
Size

525KB
MD5

96640a4799fe532df64ebde0a914567c
SHA1

5b8978b368104eb3ed79bfbb473790b9f18d4a83
SHA256

6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f
SHA512

d827bb98f6965cb4ffe76cb45251273abf07fbaaf98e544970a87e37a58d339dd1b323211b965b07ae26e904a7d8990c375c28981c19535551ab001184a85409
SSDEEP

12288:KYTTJvONxFQl3Hlhv8RWSGl9bOKMRTBI4A2Cpvb+TviXl0gpxX:KYTTxObqlVhEPOVOKMRTQVb+TKXl0gp5

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:55898

185.65.134.167:55898

10.15.0.18:55898

180.214.238.18:55898

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-41LT1T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

dnzct.exednzct.exe

pid process

916 dnzct.exe
568 dnzct.exe

pid	process
916	dnzct.exe
568	dnzct.exe

Loads dropped DLL 3 IoCs

Processes:

6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exednzct.exe

pid	process
844	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe
844	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe
916	dnzct.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dnzct.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\mvrbkgpyt = "C:\\Users\\Admin\\AppData\\Roaming\\ibwgclu\\pyienjscxhq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dnzct.exe\" C:\\Users\\Admin\\AppData\\Local\\"	dnzct.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dnzct.exe

description pid process target process

PID 916 set thread context of 568 916 dnzct.exe dnzct.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dnzct.exe

pid process

916 dnzct.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dnzct.exe

pid process

568 dnzct.exe

description	pid	process	target process
PID 916 set thread context of 568	916	dnzct.exe	dnzct.exe

pid	process
916	dnzct.exe

pid	process
568	dnzct.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exednzct.exe

description	pid	process	target process
PID 844 wrote to memory of 916	844	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe	dnzct.exe
PID 844 wrote to memory of 916	844	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe	dnzct.exe
PID 844 wrote to memory of 916	844	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe	dnzct.exe
PID 844 wrote to memory of 916	844	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe	dnzct.exe
PID 916 wrote to memory of 568	916	dnzct.exe	dnzct.exe
PID 916 wrote to memory of 568	916	dnzct.exe	dnzct.exe
PID 916 wrote to memory of 568	916	dnzct.exe	dnzct.exe
PID 916 wrote to memory of 568	916	dnzct.exe	dnzct.exe
PID 916 wrote to memory of 568	916	dnzct.exe	dnzct.exe

C:\Users\Admin\AppData\Local\Temp\6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe
"C:\Users\Admin\AppData\Local\Temp\6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\dnzct.exe
"C:\Users\Admin\AppData\Local\Temp\dnzct.exe" C:\Users\Admin\AppData\Local\Temp\heltmtguyf.z
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\dnzct.exe
"C:\Users\Admin\AppData\Local\Temp\dnzct.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
6c471935b2c65ad7e2bbea3fa0282e16

SHA1
3f37a1bcee21bb05c6aa88a96a993c144593368f

SHA256
c856b2fb812917cdd341ae0bc6bcffe11d8227e499b3e64b70b3a84e39061f16

SHA512
6cea2a6f33171b855c31fa5cb0c4bd234d863bd13c2fa97ca8679ed492404dbc019d58b26b4065328510473ebe4b742d029983869166516ab6375d41227e2ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\heltmtguyf.z
Filesize
7KB

MD5
3dd2a19c4ba9e71e2bfdaf29b42f55de

SHA1
cfcb1050c7157ca02c80407bc69bdce3fdd76528

SHA256
ef6f26306ec3070342dfed59428da21eb2a4948ef010a126441d92aec38d1491

SHA512
11406303c30f6d8ec0586d9a91cad3f23d860cbe9c0cc9f3edae46916313d107f6d96c74b3c59527c2ca9d98c2364150e4d913e0d7ea2b34a92bc46365f40926

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgsxtlwhbcy.gge
Filesize
496KB

MD5
ca773195df4f76627b6e1ec87866f60e

SHA1
f6bf8ec80563827454da20721ec37c00aed6a718

SHA256
df31595ab522440e50a5f0db1207f795f4e38cd1294c22ccbf9dd6625f540b3f

SHA512
79aabb52af1b00ffc4b49beb1a5c88c99ff983b49b4e75cc7879398becf6d1faba466d8f9f4f48f7353b02f4fc1981ef5046939ee0dec8f0570546b1f8dc3205

Download Submit
\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
memory/568-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-103-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-110-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-115-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/568-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download