remcos | 3921eabe17bb383d7950d4ac7ce0a7645820aa34e4ff88cb66a98d1027766982

Analysis

max time kernel
154s
max time network
159s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/06/2023, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vremcoss.exe
Size

300.0MB
MD5

5e16a655613ab91693a8595b5c148a22
SHA1

6c7b4797b27de085abc25c6e87be4b40f7380022
SHA256

d89d2dc5477228526ab32eff6c588844118248ca2230e0f8248c2c1a072ad6c5
SHA512

0f5b16310d0fb6dfd350d764397a57a087e35f1e0bf59ec3b477de78941e836971c9a9734f980a804bc7d0cc3964246b2cb4b459e459458102a081478af65ea2
SSDEEP

12288:79k4AvS+CkGwjOl/cP4Ul535VJDXTksuvNiqPbXpr0zXed9:8S+yx/cP4WDVJfkt8qF0rU

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

homoney177.duckdns.org:4056

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QMN5BU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
532	vremcoss.exe
2004	vremcoss.exe

Loads dropped DLL 1 IoCs

pid	Process
532	vremcoss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 1300	844	vremcoss.exe	28
PID 532 set thread context of 2004	532	vremcoss.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
884	schtasks.exe
1108	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1300	vremcoss.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1300	844	vremcoss.exe	28
PID 844 wrote to memory of 1628	844	vremcoss.exe	29
PID 844 wrote to memory of 1628	844	vremcoss.exe	29
PID 844 wrote to memory of 1628	844	vremcoss.exe	29
PID 844 wrote to memory of 1628	844	vremcoss.exe	29
PID 844 wrote to memory of 1756	844	vremcoss.exe	30
PID 844 wrote to memory of 1756	844	vremcoss.exe	30
PID 844 wrote to memory of 1756	844	vremcoss.exe	30
PID 844 wrote to memory of 1756	844	vremcoss.exe	30
PID 844 wrote to memory of 996	844	vremcoss.exe	32
PID 844 wrote to memory of 996	844	vremcoss.exe	32
PID 844 wrote to memory of 996	844	vremcoss.exe	32
PID 844 wrote to memory of 996	844	vremcoss.exe	32
PID 996 wrote to memory of 884	996	cmd.exe	34
PID 996 wrote to memory of 884	996	cmd.exe	34
PID 996 wrote to memory of 884	996	cmd.exe	34
PID 996 wrote to memory of 884	996	cmd.exe	34
PID 844 wrote to memory of 1752	844	vremcoss.exe	35
PID 844 wrote to memory of 1752	844	vremcoss.exe	35
PID 844 wrote to memory of 1752	844	vremcoss.exe	35
PID 844 wrote to memory of 1752	844	vremcoss.exe	35
PID 1952 wrote to memory of 532	1952	taskeng.exe	38
PID 1952 wrote to memory of 532	1952	taskeng.exe	38
PID 1952 wrote to memory of 532	1952	taskeng.exe	38
PID 1952 wrote to memory of 532	1952	taskeng.exe	38
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 2004	532	vremcoss.exe	39
PID 532 wrote to memory of 1328	532	vremcoss.exe	41
PID 532 wrote to memory of 1328	532	vremcoss.exe	41
PID 532 wrote to memory of 1328	532	vremcoss.exe	41
PID 532 wrote to memory of 1328	532	vremcoss.exe	41
PID 532 wrote to memory of 2008	532	vremcoss.exe	42
PID 532 wrote to memory of 2008	532	vremcoss.exe	42
PID 532 wrote to memory of 2008	532	vremcoss.exe	42
PID 532 wrote to memory of 2008	532	vremcoss.exe	42
PID 2008 wrote to memory of 1108	2008	cmd.exe	44
PID 2008 wrote to memory of 1108	2008	cmd.exe	44
PID 2008 wrote to memory of 1108	2008	cmd.exe	44
PID 2008 wrote to memory of 1108	2008	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\vremcoss.exe
"C:\Users\Admin\AppData\Local\Temp\vremcoss.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\vremcoss.exe
  "C:\Users\Admin\AppData\Local\Temp\vremcoss.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prevent windows from sleeping.vbs"
  2⤵
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\vremcoss"
  2⤵
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\vremcoss.exe" "C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe"
  2⤵
  PID:1752

C:\Windows\system32\taskeng.exe
taskeng.exe {17E64192-6F12-4078-9D2C-0758571A51F1} S-1-5-21-2961826002-3968192592-354541192-1000:HVMHZIYD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe
  C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe
    "C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe"
    3⤵
    - Executes dropped EXE
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\vremcoss"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe" "C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe"
    3⤵
    PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
fed0f30a2cc775826999b25ac3c853a1

SHA1
c3ca4c741f92cad63c9237987a88a6155615457b

SHA256
e18374a5d4bc8ae1d9c333e11afe989fa369bb88803ae8471347c38dd3c37110

SHA512
5ea349b7abd4138a31e0b399ebd4c1dbe811dd0bed515145434eb0e4ab126dd009c0afece3547fe155f8eaf64e84e359c9e1f854ae46d2fb1a346fde7277827d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prevent windows from sleeping.vbs

Filesize
160B

MD5
0a87f08886c2733d3d1419625ca7fd99

SHA1
b2c685a3fc1d186aa33966d910fa87b03c3701b8

SHA256
819b8f8e621d1718129114a44c02da58599b0fbaa9ad6a7db5610706ff89d768

SHA512
5eb8dad4aa4c3079e51fec09c2bea84a8505263e54dba5e4ccbc21b5d51c31d28b81473bfd8003822011dba7d47982c06049eed8438a562fe851f05b75a445db

Download Submit
C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe

Filesize
138.6MB

MD5
4f779815cd1ec12674152d7e339d36c8

SHA1
eb249dcbc6231a5e9a041ed4c532bd00481fd0a7

SHA256
7cd6013231e6bedeac19e8cc1029ca44050bc5222f63cac55a7018b6017e9a46

SHA512
d3fd75a88454abb25abad2fd0f0713d151adae764846ab2ab1be263f69c4d97c793eb31aeed09f54b6f79ff6dab1608e47dcf82729b8feadbd7e67c81ebeea52

Download Submit
C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe

Filesize
300.0MB

MD5
5e16a655613ab91693a8595b5c148a22

SHA1
6c7b4797b27de085abc25c6e87be4b40f7380022

SHA256
d89d2dc5477228526ab32eff6c588844118248ca2230e0f8248c2c1a072ad6c5

SHA512
0f5b16310d0fb6dfd350d764397a57a087e35f1e0bf59ec3b477de78941e836971c9a9734f980a804bc7d0cc3964246b2cb4b459e459458102a081478af65ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe

Filesize
300.0MB

MD5
5e16a655613ab91693a8595b5c148a22

SHA1
6c7b4797b27de085abc25c6e87be4b40f7380022

SHA256
d89d2dc5477228526ab32eff6c588844118248ca2230e0f8248c2c1a072ad6c5

SHA512
0f5b16310d0fb6dfd350d764397a57a087e35f1e0bf59ec3b477de78941e836971c9a9734f980a804bc7d0cc3964246b2cb4b459e459458102a081478af65ea2

Download Submit
\Users\Admin\AppData\Local\Temp\vremcoss\vremcoss.exe

Filesize
139.1MB

MD5
0f269548c09c923b6a9b2a6925d0dcb3

SHA1
11bb8b332228160e571edcdefec5b22686adfa5a

SHA256
5a76cafc7e0a9868f4e7882094459e66a9b6b3d4714aa57380b2ae010292ceea

SHA512
03a66863508175a0283077e29b2282185ed95a8ae2a3c439251fa085a30fd9792ac6acaec78d3c535813d7d9fa178ab9a43370e00c2052063db81516482f3ebd

Download Submit
memory/532-85-0x00000000009E0000-0x0000000000A7A000-memory.dmp

Filesize
616KB

Download
memory/532-92-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/532-86-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/844-54-0x0000000000CC0000-0x0000000000D5A000-memory.dmp

Filesize
616KB

Download
memory/844-57-0x0000000004270000-0x00000000042EE000-memory.dmp

Filesize
504KB

Download
memory/844-56-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/844-55-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/1300-77-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-90-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-71-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-73-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-74-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-67-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1300-79-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-65-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-64-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-63-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-62-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-88-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-70-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-93-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-61-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-60-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-98-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-99-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-59-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-58-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-121-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1300-120-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-118-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads