remcos | f8c1e632a1ad12cd10d48e67b7ec7d58b133a1e624ac39f77fe7b121562c8acc

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26/05/2023, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ - URGENT REQUEST.exe
Size

1.0MB
MD5

5203b7b950622cd099fd40468a8ce9e8
SHA1

f1f40707fd40bc961cd684ebd5274b47fa7d82b7
SHA256

fa25a9987997b5bb2ee76905f6d6a3c5583b6751edd5e720640d712b2b094205
SHA512

5c9f2b03815989a0722b305c5b660a577089d4aca26376dd38ddadacd5a8803ddced39439a6154e398837f989321a87c20df91452e328733a4a1543a8bebc075
SSDEEP

12288:5QLzsiTB2QwWL7vPpLlvRolNoyHTXijBvqHrS+0P82jQeDi2aWpxy7BZrX92gsla:OLzxxnPpLlGNlTXiYrS+0P8m958vg+

Score

10^/10

remcos sirmo persistence rat

Malware Config

Extracted

Family

remcos

Botnet

SirMo

servermolink.ddns.net:9019

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
bin.exe
copy_folder
bin
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ENJ179
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
1644	bin.exe
1084	bin.exe
1740	bin.exe

Loads dropped DLL 1 IoCs

pid	Process
1396	RFQ - URGENT REQUEST.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ENJ179 = "\"C:\\Users\\Admin\\AppData\\Roaming\\bin\\bin.exe\""	bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RFQ - URGENT REQUEST.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-ENJ179 = "\"C:\\Users\\Admin\\AppData\\Roaming\\bin\\bin.exe\""	RFQ - URGENT REQUEST.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	RFQ - URGENT REQUEST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ENJ179 = "\"C:\\Users\\Admin\\AppData\\Roaming\\bin\\bin.exe\""	RFQ - URGENT REQUEST.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-ENJ179 = "\"C:\\Users\\Admin\\AppData\\Roaming\\bin\\bin.exe\""	bin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	bin.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1644 set thread context of 1740	1644	bin.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1500	schtasks.exe
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1644	bin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	bin.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	bin.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1500	1764	RFQ - URGENT REQUEST.exe	28
PID 1764 wrote to memory of 1500	1764	RFQ - URGENT REQUEST.exe	28
PID 1764 wrote to memory of 1500	1764	RFQ - URGENT REQUEST.exe	28
PID 1764 wrote to memory of 1500	1764	RFQ - URGENT REQUEST.exe	28
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1764 wrote to memory of 1396	1764	RFQ - URGENT REQUEST.exe	30
PID 1396 wrote to memory of 1644	1396	RFQ - URGENT REQUEST.exe	31
PID 1396 wrote to memory of 1644	1396	RFQ - URGENT REQUEST.exe	31
PID 1396 wrote to memory of 1644	1396	RFQ - URGENT REQUEST.exe	31
PID 1396 wrote to memory of 1644	1396	RFQ - URGENT REQUEST.exe	31
PID 1644 wrote to memory of 1664	1644	bin.exe	32
PID 1644 wrote to memory of 1664	1644	bin.exe	32
PID 1644 wrote to memory of 1664	1644	bin.exe	32
PID 1644 wrote to memory of 1664	1644	bin.exe	32
PID 1644 wrote to memory of 1084	1644	bin.exe	34
PID 1644 wrote to memory of 1084	1644	bin.exe	34
PID 1644 wrote to memory of 1084	1644	bin.exe	34
PID 1644 wrote to memory of 1084	1644	bin.exe	34
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35
PID 1644 wrote to memory of 1740	1644	bin.exe	35

C:\Users\Admin\AppData\Local\Temp\RFQ - URGENT REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ - URGENT REQUEST.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NkYGlXHqRqkS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8363.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\RFQ - URGENT REQUEST.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Roaming\bin\bin.exe
    "C:\Users\Admin\AppData\Roaming\bin\bin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NkYGlXHqRqkS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF374.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1664
  - - C:\Users\Admin\AppData\Roaming\bin\bin.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:1084
  - - C:\Users\Admin\AppData\Roaming\bin\bin.exe
      "{path}"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
17c542ca2fe1e21938e243cab4381208

SHA1
7fb8b75725c495f01df4564171136338b6832a34

SHA256
d159edbe65f701cec889dabcb136e61e1132e687f8627426f5aeae8d78ebbbbf

SHA512
54d7462c7918c17c99c2d94cf1e38a563a07bcdb5d7b3b384028055e496390bcaf33b2f29901ef8b8c83dc1054a46918d98e0408b31f4c0cf7e787a079c6c7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8363.tmp

Filesize
1KB

MD5
c1dfd344996674ad0890a38839ad1d04

SHA1
d9ba6c0498b29187bfc4a4805bbcf8cca67dc5a4

SHA256
8dc37a4136ae8b4d4d40404756058306bb8b088cccf89f08332d1cc21f65110c

SHA512
c5324cad709fc385f7908250d3e47f4bf0fbacfb45553ba64d702eebecfec3a966f89daa9dcbb65906d047f0658801cb91093fc225e6a0e8c9bfb67d589ba9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF374.tmp

Filesize
1KB

MD5
c1dfd344996674ad0890a38839ad1d04

SHA1
d9ba6c0498b29187bfc4a4805bbcf8cca67dc5a4

SHA256
8dc37a4136ae8b4d4d40404756058306bb8b088cccf89f08332d1cc21f65110c

SHA512
c5324cad709fc385f7908250d3e47f4bf0fbacfb45553ba64d702eebecfec3a966f89daa9dcbb65906d047f0658801cb91093fc225e6a0e8c9bfb67d589ba9b2

Download Submit
C:\Users\Admin\AppData\Roaming\bin\bin.exe

Filesize
1.0MB

MD5
5203b7b950622cd099fd40468a8ce9e8

SHA1
f1f40707fd40bc961cd684ebd5274b47fa7d82b7

SHA256
fa25a9987997b5bb2ee76905f6d6a3c5583b6751edd5e720640d712b2b094205

SHA512
5c9f2b03815989a0722b305c5b660a577089d4aca26376dd38ddadacd5a8803ddced39439a6154e398837f989321a87c20df91452e328733a4a1543a8bebc075

Download Submit
C:\Users\Admin\AppData\Roaming\bin\bin.exe

Filesize
1.0MB

MD5
5203b7b950622cd099fd40468a8ce9e8

SHA1
f1f40707fd40bc961cd684ebd5274b47fa7d82b7

SHA256
fa25a9987997b5bb2ee76905f6d6a3c5583b6751edd5e720640d712b2b094205

SHA512
5c9f2b03815989a0722b305c5b660a577089d4aca26376dd38ddadacd5a8803ddced39439a6154e398837f989321a87c20df91452e328733a4a1543a8bebc075

Download Submit
C:\Users\Admin\AppData\Roaming\bin\bin.exe

Filesize
1.0MB

MD5
5203b7b950622cd099fd40468a8ce9e8

SHA1
f1f40707fd40bc961cd684ebd5274b47fa7d82b7

SHA256
fa25a9987997b5bb2ee76905f6d6a3c5583b6751edd5e720640d712b2b094205

SHA512
5c9f2b03815989a0722b305c5b660a577089d4aca26376dd38ddadacd5a8803ddced39439a6154e398837f989321a87c20df91452e328733a4a1543a8bebc075

Download Submit
C:\Users\Admin\AppData\Roaming\bin\bin.exe

Filesize
1.0MB

MD5
5203b7b950622cd099fd40468a8ce9e8

SHA1
f1f40707fd40bc961cd684ebd5274b47fa7d82b7

SHA256
fa25a9987997b5bb2ee76905f6d6a3c5583b6751edd5e720640d712b2b094205

SHA512
5c9f2b03815989a0722b305c5b660a577089d4aca26376dd38ddadacd5a8803ddced39439a6154e398837f989321a87c20df91452e328733a4a1543a8bebc075

Download Submit
C:\Users\Admin\AppData\Roaming\bin\bin.exe

Filesize
1.0MB

MD5
5203b7b950622cd099fd40468a8ce9e8

SHA1
f1f40707fd40bc961cd684ebd5274b47fa7d82b7

SHA256
fa25a9987997b5bb2ee76905f6d6a3c5583b6751edd5e720640d712b2b094205

SHA512
5c9f2b03815989a0722b305c5b660a577089d4aca26376dd38ddadacd5a8803ddced39439a6154e398837f989321a87c20df91452e328733a4a1543a8bebc075

Download Submit
\Users\Admin\AppData\Roaming\bin\bin.exe

Filesize
1.0MB

MD5
5203b7b950622cd099fd40468a8ce9e8

SHA1
f1f40707fd40bc961cd684ebd5274b47fa7d82b7

SHA256
fa25a9987997b5bb2ee76905f6d6a3c5583b6751edd5e720640d712b2b094205

SHA512
5c9f2b03815989a0722b305c5b660a577089d4aca26376dd38ddadacd5a8803ddced39439a6154e398837f989321a87c20df91452e328733a4a1543a8bebc075

Download Submit
memory/1396-67-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-72-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-66-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-68-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-69-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-70-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1396-82-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-74-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-76-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-65-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-64-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1396-63-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1644-86-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1644-85-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1644-84-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1740-109-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-108-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-135-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-134-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1740-127-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-102-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-103-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-105-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-106-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-107-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-126-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-120-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-111-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-117-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1740-119-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1764-54-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/1764-55-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/1764-59-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download
memory/1764-56-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/1764-57-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/1764-58-0x0000000005350000-0x0000000005422000-memory.dmp

Filesize
840KB

Download