remcos | d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486

Analysis

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
30/05/2023, 07:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe
Size

1.6MB
MD5

993d95f1880cbd2145649f02734b2a94
SHA1

fb7b09cf220a19c469b829cb9e856846c924d798
SHA256

d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486
SHA512

22efe749f49a32f74a0d549c7f5545fd30d4ef93f008eebd30fe87ae52aefe6cd4caf850d0943fa666274d42281be62cd1574ae0f1b5b7e41fc9a54599a1838f
SSDEEP

24576:VJWtmlFiP20Rcc3A0BbqzYRTTTAQvLn8AsVZZhLVEwLwNZ/62cZgbLjVxw:zWMlAP2SpA0BbqStvoAq59w3D

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

pekonomia.duckdns.org:30861

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B0VP4N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3164	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	66
PID 2468 wrote to memory of 3164	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	66
PID 2468 wrote to memory of 3164	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	66
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68
PID 2468 wrote to memory of 4608	2468	d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe	68

C:\Users\Admin\AppData\Local\Temp\d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe
"C:\Users\Admin\AppData\Local\Temp\d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Users\Admin\AppData\Local\Temp\d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe
  C:\Users\Admin\AppData\Local\Temp\d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe
  2⤵
  PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3tehrk1.uw3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2468-121-0x00000000007B0000-0x000000000094E000-memory.dmp

Filesize
1.6MB

Download
memory/2468-122-0x00000000057A0000-0x0000000005C9E000-memory.dmp

Filesize
5.0MB

Download
memory/2468-123-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/2468-124-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/2468-125-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/2468-126-0x0000000006800000-0x000000000692C000-memory.dmp

Filesize
1.2MB

Download
memory/2468-127-0x0000000006A40000-0x0000000006A88000-memory.dmp

Filesize
288KB

Download
memory/2468-128-0x0000000006AC0000-0x0000000006B52000-memory.dmp

Filesize
584KB

Download
memory/2468-129-0x0000000006B90000-0x0000000006BB2000-memory.dmp

Filesize
136KB

Download
memory/2468-130-0x0000000006BC0000-0x0000000006F10000-memory.dmp

Filesize
3.3MB

Download
memory/2468-158-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/3164-135-0x0000000007610000-0x0000000007620000-memory.dmp

Filesize
64KB

Download
memory/3164-136-0x0000000007610000-0x0000000007620000-memory.dmp

Filesize
64KB

Download
memory/3164-137-0x0000000007A30000-0x0000000007A96000-memory.dmp

Filesize
408KB

Download
memory/3164-138-0x0000000008280000-0x00000000082E6000-memory.dmp

Filesize
408KB

Download
memory/3164-139-0x0000000008740000-0x000000000875C000-memory.dmp

Filesize
112KB

Download
memory/3164-140-0x0000000008850000-0x000000000889B000-memory.dmp

Filesize
300KB

Download
memory/3164-141-0x0000000008AA0000-0x0000000008B16000-memory.dmp

Filesize
472KB

Download
memory/3164-134-0x0000000007C50000-0x0000000008278000-memory.dmp

Filesize
6.2MB

Download
memory/3164-156-0x000000000A120000-0x000000000A798000-memory.dmp

Filesize
6.5MB

Download
memory/3164-157-0x0000000009860000-0x000000000987A000-memory.dmp

Filesize
104KB

Download
memory/3164-133-0x0000000003780000-0x00000000037B6000-memory.dmp

Filesize
216KB

Download
memory/3164-159-0x0000000007610000-0x0000000007620000-memory.dmp

Filesize
64KB

Download
memory/3164-160-0x0000000007610000-0x0000000007620000-memory.dmp

Filesize
64KB

Download
memory/4608-185-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-197-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-170-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-178-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-179-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-183-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-184-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-186-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-187-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-188-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-189-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-190-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-191-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-192-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-193-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-194-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-195-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-196-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-198-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-199-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-200-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-201-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-202-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-203-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-204-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-206-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-207-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-208-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-209-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-210-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-211-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-213-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-214-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-215-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-216-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-217-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-218-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-219-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-220-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-221-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-222-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-223-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-224-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-225-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-226-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-227-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-228-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-229-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download