remcos | f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4

General

Target

c88d4757ee5c295c3ff996dca43e737a.exe
Size

987KB
MD5

c88d4757ee5c295c3ff996dca43e737a
SHA1

dc307074db36fefeb99a5c1715b90a1382493d70
SHA256

f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4
SHA512

a2901e2941f0fd5b72b46840852e2f056a006e665eb2f54dedd30c3a139e0f8d1f780d237626e9f3a2df2e95daf1e25f9430de4e9cc8a82e7d2aef92decfd5f6
SSDEEP

12288:x+h7rFnTibJ2tYdG7T+IAmvHfvT2Nxda5vWfco//3HS8meXaI1eIEJJZ3gSeYApt:S6byT+I/vXT2NMWfco//3y8m29MQCyt

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.193.30.230:3343

79.110.49.161:3343

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CQL1U6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c88d4757ee5c295c3ff996dca43e737a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ktwrl = "C:\\Users\\Admin\\AppData\\Roaming\\Ktwrl.exe"	c88d4757ee5c295c3ff996dca43e737a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c88d4757ee5c295c3ff996dca43e737a.exe

description pid process target process

PID 2328 set thread context of 2684 2328 c88d4757ee5c295c3ff996dca43e737a.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1636 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c88d4757ee5c295c3ff996dca43e737a.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2328 c88d4757ee5c295c3ff996dca43e737a.exe
Token: SeDebugPrivilege 1636 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2684 MSBuild.exe

description	pid	process	target process
PID 2328 set thread context of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe

pid	process
1636	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2328	c88d4757ee5c295c3ff996dca43e737a.exe
Token: SeDebugPrivilege	1636	powershell.exe

pid	process
2684	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c88d4757ee5c295c3ff996dca43e737a.execmd.exe

description	pid	process	target process
PID 2328 wrote to memory of 2664	2328	c88d4757ee5c295c3ff996dca43e737a.exe	cmd.exe
PID 2328 wrote to memory of 2664	2328	c88d4757ee5c295c3ff996dca43e737a.exe	cmd.exe
PID 2328 wrote to memory of 2664	2328	c88d4757ee5c295c3ff996dca43e737a.exe	cmd.exe
PID 2328 wrote to memory of 2664	2328	c88d4757ee5c295c3ff996dca43e737a.exe	cmd.exe
PID 2664 wrote to memory of 1636	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 1636	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 1636	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 1636	2664	cmd.exe	powershell.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe
PID 2328 wrote to memory of 2684	2328	c88d4757ee5c295c3ff996dca43e737a.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\c88d4757ee5c295c3ff996dca43e737a.exe
"C:\Users\Admin\AppData\Local\Temp\c88d4757ee5c295c3ff996dca43e737a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell set-mppreference -exclusionpath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
2de98301142039828d6351a1cfcb5898

SHA1
c55da6fb63f2c8f90ebe4d6d4f68c22b79240c84

SHA256
0a82c72e8d6c5a7f7976089660b638d45f63abbba67b613e1e36eb05dae5e3b8

SHA512
701a4bf9058437742664496b04062c9591d9f0994bb128e74bc44a99fc4d85787e3760301d909bb65b93ade3bf204d21dbc9c1d0b365aed153ebb28abecacc12

Download Submit
memory/1636-1161-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-1162-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-1163-0x00000000024D0000-0x0000000002510000-memory.dmp

Filesize
256KB

Download
memory/1636-1164-0x00000000024D0000-0x0000000002510000-memory.dmp

Filesize
256KB

Download
memory/1636-1170-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-87-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-97-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-58-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-61-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-59-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-63-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-65-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-69-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-67-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-71-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-75-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-73-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-77-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-78-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2328-79-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-81-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-83-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-85-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-56-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2328-89-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-91-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-93-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-95-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-57-0x0000000005A90000-0x0000000005B84000-memory.dmp

Filesize
976KB

Download
memory/2328-99-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-101-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-103-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-107-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-105-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-109-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-111-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-119-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-117-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-121-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-115-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-113-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-123-0x0000000005A90000-0x0000000005B7E000-memory.dmp

Filesize
952KB

Download
memory/2328-55-0x0000000001090000-0x000000000118E000-memory.dmp

Filesize
1016KB

Download
memory/2328-1136-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2328-1137-0x0000000000D30000-0x0000000000DA0000-memory.dmp

Filesize
448KB

Download
memory/2328-1138-0x00000000009F0000-0x0000000000A3C000-memory.dmp

Filesize
304KB

Download
memory/2328-1158-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-54-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-1172-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2684-1153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads