remcos | e5dca5eabc6e7533819859eca8ed07eec01fad9cb5b5ea2e9eea547eaf3020f0

General

Target

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
Size

1.1MB
MD5

1b757184307094f4f4d1caefe3ee80d3
SHA1

fd19f622093c77c00879a3b2bce2171f1b5445bc
SHA256

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453
SHA512

453b76346c793581633a6c1b3dbef18c37c5db8835a4c8760647c0350879738baa4cc769aeee01cad5c8e30f83fa48ccb370b3fab9b9aff06c96b9df668b0ff3
SSDEEP

24576:MA5Ix0j/0Yw6gDYm+T1Nk/iEYaEr/pa7qvjSUJD:V5Q0gGg8XxNk/i8Ej42SUp

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.193.30.230:3348

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4LKZRP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

description	pid	process	target process
PID 4280 set thread context of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4004 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3580 powershell.exe
3580 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3580 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

pid process

4640 36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

pid	process
4004	schtasks.exe

pid	process
3580	powershell.exe
3580	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3580	powershell.exe

pid	process
4640	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

C:\Users\Admin\AppData\Local\Temp\36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
"C:\Users\Admin\AppData\Local\Temp\36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bbIxiXDjWQZvb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bbIxiXDjWQZvb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B07.tmp"
2⤵
- Creates scheduled task(s)
PID:4004

C:\Users\Admin\AppData\Local\Temp\36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
"C:\Users\Admin\AppData\Local\Temp\36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
a37fb1f381dee17b456d708e6f5b0dd8

SHA1
6d02b503398eb163516a1e65886cb7290b33a9ae

SHA256
5d7fa63f8fe4a4735c399a9d7b1917613fca1ab9f6a8c8658d8f03c3efdaf418

SHA512
ad6f2599903eb8042b2148b61f3a469781df913c46b96f377c0dacb3d565b123a4af7a741a48eb0204a7191712e0a0571495f50c88fe7998be9f90e29bdf70b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sanjjvtf.nvc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B07.tmp
Filesize
1KB

MD5
1e8633b119f8f801682309d3a43fcb8e

SHA1
57773bec166804b595ce403cd887f3d0158f7ba5

SHA256
f51c25213dc55700c099b7d51f8590eeee8086963a26d917182d0e3637516dc0

SHA512
2c90c27cdeb6367e9b5650776f6d14724e78f1ee9dbb9000a00e3eddad8a97e972ef02356dac00a07ea410a17fbb6f95974d70290742ed8d51449d79c1d8de06

Download Submit
memory/3580-191-0x0000000007F30000-0x0000000007F4A000-memory.dmp

Filesize
104KB

Download
memory/3580-187-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/3580-185-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/3580-184-0x0000000008230000-0x00000000088AA000-memory.dmp

Filesize
6.5MB

Download
memory/3580-144-0x0000000005330000-0x0000000005366000-memory.dmp

Filesize
216KB

Download
memory/3580-183-0x0000000006E80000-0x0000000006E9E000-memory.dmp

Filesize
120KB

Download
memory/3580-146-0x0000000005A50000-0x0000000006078000-memory.dmp

Filesize
6.2MB

Download
memory/3580-173-0x00000000712A0000-0x00000000712EC000-memory.dmp

Filesize
304KB

Download
memory/3580-172-0x0000000006EA0000-0x0000000006ED2000-memory.dmp

Filesize
200KB

Download
memory/3580-192-0x0000000007F20000-0x0000000007F28000-memory.dmp

Filesize
32KB

Download
memory/3580-151-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/3580-186-0x000000007FD20000-0x000000007FD30000-memory.dmp

Filesize
64KB

Download
memory/3580-153-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/3580-190-0x0000000007E30000-0x0000000007E3E000-memory.dmp

Filesize
56KB

Download
memory/3580-158-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/3580-188-0x0000000007E70000-0x0000000007F06000-memory.dmp

Filesize
600KB

Download
memory/3580-156-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/3580-171-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/3580-155-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/3580-170-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/4280-137-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4280-134-0x0000000005710000-0x0000000005CB4000-memory.dmp

Filesize
5.6MB

Download
memory/4280-133-0x00000000005C0000-0x00000000006DA000-memory.dmp

Filesize
1.1MB

Download
memory/4280-135-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/4280-136-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download
memory/4280-139-0x0000000006E90000-0x0000000006F2C000-memory.dmp

Filesize
624KB

Download
memory/4280-138-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4640-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-196-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-199-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-200-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-206-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-213-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-218-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4640-219-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

description	pid	process	target process
PID 4280 wrote to memory of 3580	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	powershell.exe
PID 4280 wrote to memory of 3580	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	powershell.exe
PID 4280 wrote to memory of 3580	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	powershell.exe
PID 4280 wrote to memory of 4004	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	schtasks.exe
PID 4280 wrote to memory of 4004	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	schtasks.exe
PID 4280 wrote to memory of 4004	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	schtasks.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe
PID 4280 wrote to memory of 4640	4280	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe	36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads