remcos | efcc97c8dac23a0c8bc179fd3b54efd3594e71d5103f211bf468e2a6e550590e

General

Target

SYN2023060702.exe
Size

551KB
MD5

e550594dbf07c3a445d0ee6d44325c96
SHA1

ac62125f63e40ed06e6b3cf7a4b180543894d797
SHA256

efcc97c8dac23a0c8bc179fd3b54efd3594e71d5103f211bf468e2a6e550590e
SHA512

92924f57caf0c7b5fc08576d807079c7c060ccecc882766c5298af18288c9cbd9a9d01bd325007b52d983e669e90db9b42fcbe525442887e3de66d9246c1565e
SSDEEP

12288:ZLLsWrDu24O0XFrfiPfuw91uhQ9TaQX5eQ4L1NbRHgWAvHv3cIXsSlwjFh:ZLLTrfj9TaY5eV5N95AfUVSoFh

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

155.94.185.15:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FUG8H1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	SYN2023060702.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	SYN2023060702.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	SYN2023060702.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
320	SYN2023060702.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1948	SYN2023060702.exe
320	SYN2023060702.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 320	1948	SYN2023060702.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1948	SYN2023060702.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
320	SYN2023060702.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 320	1948	SYN2023060702.exe	28
PID 1948 wrote to memory of 320	1948	SYN2023060702.exe	28
PID 1948 wrote to memory of 320	1948	SYN2023060702.exe	28
PID 1948 wrote to memory of 320	1948	SYN2023060702.exe	28
PID 1948 wrote to memory of 320	1948	SYN2023060702.exe	28

C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe
"C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe
  "C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
b1e27118ea300aff5faa4ea5ebe8b045

SHA1
4f06e5bd97129db44efc4c7bd653311ce96c854e

SHA256
7a480cb7be0e96f855ea7043264b4c965aec6074021ca92a9f8344c16305a3e9

SHA512
46b163e19b415dc9aa42b8e8adfc4e653068907f9aabff27af73dc71394a8a86c323f7c0dddb67dc07b397f94bf86386735b4dacf66469e2fc02193a1b6871c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsy17B8.tmp\System.dll

Filesize
11KB

MD5
c9473cb90d79a374b2ba6040ca16e45c

SHA1
ab95b54f12796dce57210d65f05124a6ed81234a

SHA256
b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352

SHA512
eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b

Download Submit
memory/320-87-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-69-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-73-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-77-0x0000000001470000-0x00000000055F4000-memory.dmp

Filesize
65.5MB

Download
memory/320-80-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-84-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-70-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-71-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-91-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-95-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-99-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-102-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-106-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/320-110-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing