remcos | a65de678bfc68fa18936e353ba96fed7f00134a30ead01a45f88e10adb33be9b

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e71210a8cb9a16fe0b777e20ab8750cf.exe
Size

490KB
MD5

e71210a8cb9a16fe0b777e20ab8750cf
SHA1

16ed028a56c4a6b008f66062e574664020cf1d30
SHA256

a65de678bfc68fa18936e353ba96fed7f00134a30ead01a45f88e10adb33be9b
SHA512

6fa9b47082d9212f669563806108e682fda1fdd71b343e21fd93e2163512024d560524bf2b8ebde927035447d85ca0ce8aa925b6b216c0dcb38743b2ea3e42ab
SSDEEP

12288:OYyF6L25vWOfQqxa0snt/Rt/04kRVCkv2ey9bdA6NT1:OYyIKNWOYqxZstkXRVCk+B9a6NB

Score

10^/10

remcos first-send persistence rat

Malware Config

Extracted

Family

remcos

Botnet

First-Send

top.not4abuse1.xyz:1558

sub.not4abuse1.xyz:1558

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmcs
mouse_option
false
mutex
Rmc-4RNJ4J
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
20
startup_value
Remcos
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Mail;Payment;Bank

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

accpwujww.exeaccpwujww.exe

pid process

848 accpwujww.exe
544 accpwujww.exe
Loads dropped DLL 3 IoCs

Processes:

e71210a8cb9a16fe0b777e20ab8750cf.exeaccpwujww.exe

pid process

1604 e71210a8cb9a16fe0b777e20ab8750cf.exe
1604 e71210a8cb9a16fe0b777e20ab8750cf.exe
848 accpwujww.exe

pid	process
848	accpwujww.exe
544	accpwujww.exe

pid	process
1604	e71210a8cb9a16fe0b777e20ab8750cf.exe
1604	e71210a8cb9a16fe0b777e20ab8750cf.exe
848	accpwujww.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

accpwujww.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfvagnchfieng = "C:\\Users\\Admin\\AppData\\Roaming\\vqbyhielrdllo\\hjsxhyymsvw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\accpwujww.exe\" C:\\Users\\Admin\\AppD"	accpwujww.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

accpwujww.exe

description pid process target process

PID 848 set thread context of 544 848 accpwujww.exe accpwujww.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

accpwujww.exe

pid process

544 accpwujww.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

accpwujww.exe

pid process

848 accpwujww.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

accpwujww.exe

pid process

544 accpwujww.exe

description	pid	process	target process
PID 848 set thread context of 544	848	accpwujww.exe	accpwujww.exe

pid	process
544	accpwujww.exe

pid	process
848	accpwujww.exe

pid	process
544	accpwujww.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e71210a8cb9a16fe0b777e20ab8750cf.exeaccpwujww.exe

description	pid	process	target process
PID 1604 wrote to memory of 848	1604	e71210a8cb9a16fe0b777e20ab8750cf.exe	accpwujww.exe
PID 1604 wrote to memory of 848	1604	e71210a8cb9a16fe0b777e20ab8750cf.exe	accpwujww.exe
PID 1604 wrote to memory of 848	1604	e71210a8cb9a16fe0b777e20ab8750cf.exe	accpwujww.exe
PID 1604 wrote to memory of 848	1604	e71210a8cb9a16fe0b777e20ab8750cf.exe	accpwujww.exe
PID 848 wrote to memory of 544	848	accpwujww.exe	accpwujww.exe
PID 848 wrote to memory of 544	848	accpwujww.exe	accpwujww.exe
PID 848 wrote to memory of 544	848	accpwujww.exe	accpwujww.exe
PID 848 wrote to memory of 544	848	accpwujww.exe	accpwujww.exe
PID 848 wrote to memory of 544	848	accpwujww.exe	accpwujww.exe

C:\Users\Admin\AppData\Local\Temp\e71210a8cb9a16fe0b777e20ab8750cf.exe
"C:\Users\Admin\AppData\Local\Temp\e71210a8cb9a16fe0b777e20ab8750cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
"C:\Users\Admin\AppData\Local\Temp\accpwujww.exe" C:\Users\Admin\AppData\Local\Temp\whgyqbmwow.k
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
"C:\Users\Admin\AppData\Local\Temp\accpwujww.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rmcs\logs.dat
Filesize
144B

MD5
057ac16c7ec24a5d01083bba57cf1503

SHA1
2197a30299f3908c9574cc4cf3b804e72cf888d4

SHA256
cf80dea43a3fba2b53afd06de02e63a0a90fde86a5644ca375d327d3eee09d5e

SHA512
76f85b923d2612aafae3a2be8e32da1936bffec3ffae550fd6c86c8cd9c4e2a35b3a92a9cbbd946687748813f130e48ff95a38818fc4231e31addd0ee30aaccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzqeznlmgbv.nua
Filesize
495KB

MD5
7871964204bbe6aad682859785968397

SHA1
13e83bf6a1bac3f1779610f4ac47235cd47bb9b4

SHA256
b41f8b955f6f159ff0d5065d855d89d5528f5a27f0d06c5d15748ad62c2d71da

SHA512
85b87885ab152d667cc0df2626275ada680224d4c8d686e985d578fed12be524215bb8392528af818b734b2f994979893b44e6694863fe2976959960f7f280ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\whgyqbmwow.k
Filesize
7KB

MD5
efd98d26091eabe73cae73972699c29e

SHA1
2b9d4cc399b13d10fe7ddc1cb84df4145c4b7ed4

SHA256
c7a7d9d6aacbce80718605b692fe8c5e13cf3410c1e2ab44ff979a790c918e54

SHA512
718a5efffa704ad2bc38a06fbfb749cef018c86177e5de91574b3a5593a303f8a2b0320ba1db16e96f4ba2d331976938e3a399f0e1031d00646eacebfee82bc7

Download Submit
\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
\Users\Admin\AppData\Local\Temp\accpwujww.exe
Filesize
5KB

MD5
03ae60a2d54117341e743be868497268

SHA1
abc4d195b5ad951058714cb38bf1ef62ca51086b

SHA256
0eddc8ff857b24e8c71428baa866fe6e1f3b40de1b7b51145fdb0037e8eee295

SHA512
b5ccddb7d3b2a110ed909146a255b627178c1dd1c80079758bd11d7919c7552d4e339407b695650a1b22426d98149cd0ba7545b4aad9fd5e5d16bff2cc77ea8a

Download Submit
memory/544-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-103-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-106-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-114-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download