remcos | 5ac69c8e54fb08fdc85586c8abf0ba19ebd2fecfab9007c6a6434ae47c513ff8

General

Target

vremcoss.exe
Size

300.0MB
MD5

5e16a655613ab91693a8595b5c148a22
SHA1

6c7b4797b27de085abc25c6e87be4b40f7380022
SHA256

d89d2dc5477228526ab32eff6c588844118248ca2230e0f8248c2c1a072ad6c5
SHA512

0f5b16310d0fb6dfd350d764397a57a087e35f1e0bf59ec3b477de78941e836971c9a9734f980a804bc7d0cc3964246b2cb4b459e459458102a081478af65ea2
SSDEEP

12288:79k4AvS+CkGwjOl/cP4Ul535VJDXTksuvNiqPbXpr0zXed9:8S+yx/cP4WDVJfkt8qF0rU

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

homoney177.duckdns.org:4056

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QMN5BU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vremcoss.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation vremcoss.exe
Executes dropped EXE 1 IoCs

Processes:

vremcoss.exe

pid process

1228 vremcoss.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vremcoss.exe

description pid process target process

PID 4560 set thread context of 568 4560 vremcoss.exe vremcoss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

772 schtasks.exe
Modifies registry class 1 IoCs

Processes:

vremcoss.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings vremcoss.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vremcoss.exe

pid process

568 vremcoss.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vremcoss.exe

pid process

568 vremcoss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	vremcoss.exe

pid	process
1228	vremcoss.exe

description	pid	process	target process
PID 4560 set thread context of 568	4560	vremcoss.exe	vremcoss.exe

pid	process
772	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	vremcoss.exe

pid	process
568	vremcoss.exe

pid	process
568	vremcoss.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

vremcoss.execmd.exe

description	pid	process	target process
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 568	4560	vremcoss.exe	vremcoss.exe
PID 4560 wrote to memory of 1040	4560	vremcoss.exe	WScript.exe
PID 4560 wrote to memory of 1040	4560	vremcoss.exe	WScript.exe
PID 4560 wrote to memory of 1040	4560	vremcoss.exe	WScript.exe
PID 4560 wrote to memory of 3800	4560	vremcoss.exe	cmd.exe
PID 4560 wrote to memory of 3800	4560	vremcoss.exe	cmd.exe
PID 4560 wrote to memory of 3800	4560	vremcoss.exe	cmd.exe
PID 4560 wrote to memory of 4596	4560	vremcoss.exe	cmd.exe
PID 4560 wrote to memory of 4596	4560	vremcoss.exe	cmd.exe
PID 4560 wrote to memory of 4596	4560	vremcoss.exe	cmd.exe
PID 4596 wrote to memory of 772	4596	cmd.exe	schtasks.exe
PID 4596 wrote to memory of 772	4596	cmd.exe	schtasks.exe
PID 4596 wrote to memory of 772	4596	cmd.exe	schtasks.exe
PID 4560 wrote to memory of 2184	4560	vremcoss.exe	cmd.exe
PID 4560 wrote to memory of 2184	4560	vremcoss.exe	cmd.exe
PID 4560 wrote to memory of 2184	4560	vremcoss.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\vremcoss.exe
"C:\Users\Admin\AppData\Local\Temp\vremcoss.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Temp\vremcoss.exe
"C:\Users\Admin\AppData\Local\Temp\vremcoss.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prevent windows from sleeping.vbs"
2⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\vremcoss"
2⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe'" /f
3⤵
- Creates scheduled task(s)
PID:772

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\vremcoss.exe" "C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe"
2⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe
C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe
1⤵
- Executes dropped EXE
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
230B

MD5
35377c8481617934ad01880474694f82

SHA1
58fc80d8c7b14e12c95ee4a237e8ab747ca03cbf

SHA256
890d3e672590de636233bdcac8ace0407d98be3476d19272276b20b9e21b016b

SHA512
3a400170aea522930aeedfc63da7a8ea966d79fb666935d05fa9a52391db730bd7a38b6b9fc3301e5517710651b02a087c5dd0fc5ce635374062e0beeee11a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vremcoss.exe.log
Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prevent windows from sleeping.vbs
Filesize
160B

MD5
0a87f08886c2733d3d1419625ca7fd99

SHA1
b2c685a3fc1d186aa33966d910fa87b03c3701b8

SHA256
819b8f8e621d1718129114a44c02da58599b0fbaa9ad6a7db5610706ff89d768

SHA512
5eb8dad4aa4c3079e51fec09c2bea84a8505263e54dba5e4ccbc21b5d51c31d28b81473bfd8003822011dba7d47982c06049eed8438a562fe851f05b75a445db

Download Submit
C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe
Filesize
300.0MB

MD5
5e16a655613ab91693a8595b5c148a22

SHA1
6c7b4797b27de085abc25c6e87be4b40f7380022

SHA256
d89d2dc5477228526ab32eff6c588844118248ca2230e0f8248c2c1a072ad6c5

SHA512
0f5b16310d0fb6dfd350d764397a57a087e35f1e0bf59ec3b477de78941e836971c9a9734f980a804bc7d0cc3964246b2cb4b459e459458102a081478af65ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe
Filesize
300.0MB

MD5
5e16a655613ab91693a8595b5c148a22

SHA1
6c7b4797b27de085abc25c6e87be4b40f7380022

SHA256
d89d2dc5477228526ab32eff6c588844118248ca2230e0f8248c2c1a072ad6c5

SHA512
0f5b16310d0fb6dfd350d764397a57a087e35f1e0bf59ec3b477de78941e836971c9a9734f980a804bc7d0cc3964246b2cb4b459e459458102a081478af65ea2

Download Submit
memory/568-137-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-162-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-139-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-144-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-145-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-148-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-149-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-150-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-174-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-140-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-182-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-181-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-161-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-160-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-175-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1228-169-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1228-172-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4560-133-0x00000000008A0000-0x000000000093A000-memory.dmp

Filesize
616KB

Download
memory/4560-134-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/4560-135-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/4560-136-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads