remcos | e5dca5eabc6e7533819859eca8ed07eec01fad9cb5b5ea2e9eea547eaf3020f0

General

Target

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
Size

1.1MB
MD5

1b757184307094f4f4d1caefe3ee80d3
SHA1

fd19f622093c77c00879a3b2bce2171f1b5445bc
SHA256

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453
SHA512

453b76346c793581633a6c1b3dbef18c37c5db8835a4c8760647c0350879738baa4cc769aeee01cad5c8e30f83fa48ccb370b3fab9b9aff06c96b9df668b0ff3
SSDEEP

24576:MA5Ix0j/0Yw6gDYm+T1Nk/iEYaEr/pa7qvjSUJD:V5Q0gGg8XxNk/i8Ej42SUp

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.193.30.230:3348

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4LKZRP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

description	pid	process	target process
PID 1100 set thread context of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1692 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1316 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1316 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

pid process

1084 36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

pid	process
1692	schtasks.exe

pid	process
1316	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1316	powershell.exe

pid	process
1084	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

C:\Users\Admin\AppData\Local\Temp\36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
"C:\Users\Admin\AppData\Local\Temp\36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bbIxiXDjWQZvb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bbIxiXDjWQZvb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp422F.tmp"
2⤵
- Creates scheduled task(s)
PID:1692

C:\Users\Admin\AppData\Local\Temp\36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
"C:\Users\Admin\AppData\Local\Temp\36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
9a00287df5b8909647df8c29e3236c7b

SHA1
c41e035a22ed72b3f01b84c217a44fa657f970dc

SHA256
f5d1c39ecfa002296b3971603a96f90b50f2c7614c1f1772a0350e6ea24f6f77

SHA512
6c1e78d3a703351c254121bca51666db843f7b30d4a14982d927fe58e65889ce2880d5d3f191e62b0c946c62e4e402a661fda15320801e530372013578eacc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp422F.tmp
Filesize
1KB

MD5
0b2d5f1fb21c95ebf448bd96358a932d

SHA1
43132b7cc470b52b94e6642871a2d8168339c95b

SHA256
61d3533fdd2eea97761797978feb7fc49ade1a136430b3e42d360a398bdd492d

SHA512
3fe8b03b15d01e9a82b3f1f56bb2534f439d7775632a8d1a6559c8704cd399ca5306a841788ef2ade2943c31fb7448b9fd320f7a19a419c2d0ef806ceab4709e

Download Submit
memory/1084-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-113-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1084-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1100-55-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/1100-57-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/1100-56-0x0000000000480000-0x00000000004A0000-memory.dmp

Filesize
128KB

Download
memory/1100-65-0x0000000005450000-0x00000000054D0000-memory.dmp

Filesize
512KB

Download
memory/1100-54-0x0000000000F00000-0x000000000101A000-memory.dmp

Filesize
1.1MB

Download
memory/1100-59-0x00000000058E0000-0x00000000059D4000-memory.dmp

Filesize
976KB

Download
memory/1100-58-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/1316-87-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1316-86-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1316-85-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download

description	pid	process	target process
PID 1100 wrote to memory of 1316	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	powershell.exe
PID 1100 wrote to memory of 1316	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	powershell.exe
PID 1100 wrote to memory of 1316	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	powershell.exe
PID 1100 wrote to memory of 1316	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	powershell.exe
PID 1100 wrote to memory of 1692	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	schtasks.exe
PID 1100 wrote to memory of 1692	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	schtasks.exe
PID 1100 wrote to memory of 1692	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	schtasks.exe
PID 1100 wrote to memory of 1692	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	schtasks.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 1100 wrote to memory of 1084	1100	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads