remcos | 678d3d4b1057a230e358c3b9b88eb2b5e7611e448427788cc6474ae9a0c19404

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/04/2023, 15:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

caea33e0d520c8a783732de2634c1017.exe
Size

520KB
MD5

caea33e0d520c8a783732de2634c1017
SHA1

43087d7da98b43c64ffddbd1a61f4534e786b74c
SHA256

678d3d4b1057a230e358c3b9b88eb2b5e7611e448427788cc6474ae9a0c19404
SHA512

53f3b89cb8944f18b7309ddcce3327fef52a400af54eb54948943149d4d6057ea4c59491cc5d8fdc5f0fca8734399f5d6c6904432a91d77ec760fe5feb3f155d
SSDEEP

12288:gYhXuzMd8pASpKdoaUjaBMr2j+yQLO0NVVjBvOhWaV3JnJw:gYhXuz28pA2KfLj+yqWBlJw

Score

10^/10

remcos euros persistence rat

Malware Config

Extracted

Family

remcos

Botnet

EUROS

jovaneo.duckdns.org:3641

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LK36N5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2012	qrwlz.exe
980	qrwlz.exe

Loads dropped DLL 3 IoCs

pid	Process
1136	caea33e0d520c8a783732de2634c1017.exe
1136	caea33e0d520c8a783732de2634c1017.exe
2012	qrwlz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\eajsox = "C:\\Users\\Admin\\AppData\\Roaming\\qavfoktdyie\\nwsclgplu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\qrwlz.exe\" C:\\Users\\Admin\\AppData\\Loca"	qrwlz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 980	2012	qrwlz.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2012	qrwlz.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
980	qrwlz.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
980	qrwlz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2012	1136	caea33e0d520c8a783732de2634c1017.exe	28
PID 1136 wrote to memory of 2012	1136	caea33e0d520c8a783732de2634c1017.exe	28
PID 1136 wrote to memory of 2012	1136	caea33e0d520c8a783732de2634c1017.exe	28
PID 1136 wrote to memory of 2012	1136	caea33e0d520c8a783732de2634c1017.exe	28
PID 2012 wrote to memory of 980	2012	qrwlz.exe	29
PID 2012 wrote to memory of 980	2012	qrwlz.exe	29
PID 2012 wrote to memory of 980	2012	qrwlz.exe	29
PID 2012 wrote to memory of 980	2012	qrwlz.exe	29
PID 2012 wrote to memory of 980	2012	qrwlz.exe	29

C:\Users\Admin\AppData\Local\Temp\caea33e0d520c8a783732de2634c1017.exe
"C:\Users\Admin\AppData\Local\Temp\caea33e0d520c8a783732de2634c1017.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\qrwlz.exe
  "C:\Users\Admin\AppData\Local\Temp\qrwlz.exe" C:\Users\Admin\AppData\Local\Temp\aztvpotk.nx
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\qrwlz.exe
    "C:\Users\Admin\AppData\Local\Temp\qrwlz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aztvpotk.nx

Filesize
7KB

MD5
8159a42ea5a1566ea882be37bea844ea

SHA1
f2216bf5a29fc3c8b7f9c487ab7febe772f4238b

SHA256
2ba35c2e36ac2e8efb8f9f1569c99b517c90dbd7d4e99d6b8558de8f987bf9c7

SHA512
dcbcc3b08b5ede5f3c1023c9f7ae960252dd74c7a93cb0daede31858af792515493576def068108e6d037145a0fe8379f7e4c2e72560a3b18d8ff5e5f5019664

Download Submit
C:\Users\Admin\AppData\Local\Temp\erzstkxdhdq.i

Filesize
496KB

MD5
b356d6d55240de562b92287d24bbac0a

SHA1
5132f57cda5d1d11223601745e31c693d989a848

SHA256
86f60221b9f0b9b4921ebdcf7ada7cfad2a9212244ceb0fe12ca2c5b20ee9aac

SHA512
8107a5499789dd56131c986c916e3fa55596bd1b767ef57c36c76552ce9a56dda04064d6b518f2509da5cd43c0a1cee639fb1f36784adfec8d9bdfdf3c5446d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrwlz.exe

Filesize
53KB

MD5
4d1007c556545f9e1e51305ee33b1528

SHA1
583c91bfc0a24427ee8d37f0f3513c851af601d8

SHA256
41634ca43a51a576c5c1a3047e94a74f759106642c4a69239eddbfb4b2961a77

SHA512
4aad5d56c083540f5841f1048a7d02861887ad7351ced800b315000a6c1633c760b5caa3d32961d6bdec131e0ac19d1b6c9a669d9bae38cd7fd17f0dfffcee77

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrwlz.exe

Filesize
53KB

MD5
4d1007c556545f9e1e51305ee33b1528

SHA1
583c91bfc0a24427ee8d37f0f3513c851af601d8

SHA256
41634ca43a51a576c5c1a3047e94a74f759106642c4a69239eddbfb4b2961a77

SHA512
4aad5d56c083540f5841f1048a7d02861887ad7351ced800b315000a6c1633c760b5caa3d32961d6bdec131e0ac19d1b6c9a669d9bae38cd7fd17f0dfffcee77

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrwlz.exe

Filesize
53KB

MD5
4d1007c556545f9e1e51305ee33b1528

SHA1
583c91bfc0a24427ee8d37f0f3513c851af601d8

SHA256
41634ca43a51a576c5c1a3047e94a74f759106642c4a69239eddbfb4b2961a77

SHA512
4aad5d56c083540f5841f1048a7d02861887ad7351ced800b315000a6c1633c760b5caa3d32961d6bdec131e0ac19d1b6c9a669d9bae38cd7fd17f0dfffcee77

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrwlz.exe

Filesize
53KB

MD5
4d1007c556545f9e1e51305ee33b1528

SHA1
583c91bfc0a24427ee8d37f0f3513c851af601d8

SHA256
41634ca43a51a576c5c1a3047e94a74f759106642c4a69239eddbfb4b2961a77

SHA512
4aad5d56c083540f5841f1048a7d02861887ad7351ced800b315000a6c1633c760b5caa3d32961d6bdec131e0ac19d1b6c9a669d9bae38cd7fd17f0dfffcee77

Download Submit
\Users\Admin\AppData\Local\Temp\qrwlz.exe

Filesize
53KB

MD5
4d1007c556545f9e1e51305ee33b1528

SHA1
583c91bfc0a24427ee8d37f0f3513c851af601d8

SHA256
41634ca43a51a576c5c1a3047e94a74f759106642c4a69239eddbfb4b2961a77

SHA512
4aad5d56c083540f5841f1048a7d02861887ad7351ced800b315000a6c1633c760b5caa3d32961d6bdec131e0ac19d1b6c9a669d9bae38cd7fd17f0dfffcee77

Download Submit
\Users\Admin\AppData\Local\Temp\qrwlz.exe

Filesize
53KB

MD5
4d1007c556545f9e1e51305ee33b1528

SHA1
583c91bfc0a24427ee8d37f0f3513c851af601d8

SHA256
41634ca43a51a576c5c1a3047e94a74f759106642c4a69239eddbfb4b2961a77

SHA512
4aad5d56c083540f5841f1048a7d02861887ad7351ced800b315000a6c1633c760b5caa3d32961d6bdec131e0ac19d1b6c9a669d9bae38cd7fd17f0dfffcee77

Download Submit
\Users\Admin\AppData\Local\Temp\qrwlz.exe

Filesize
53KB

MD5
4d1007c556545f9e1e51305ee33b1528

SHA1
583c91bfc0a24427ee8d37f0f3513c851af601d8

SHA256
41634ca43a51a576c5c1a3047e94a74f759106642c4a69239eddbfb4b2961a77

SHA512
4aad5d56c083540f5841f1048a7d02861887ad7351ced800b315000a6c1633c760b5caa3d32961d6bdec131e0ac19d1b6c9a669d9bae38cd7fd17f0dfffcee77

Download Submit
memory/980-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-102-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-103-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-104-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-106-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/980-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download