remcos | 42e9454763fcdfe8994cb219ea2f38a71249be92f47bcf6047cfae997b0a46ca

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
Size

338KB
MD5

df0dfed7d9bb8ffc5ac307ef14dd86ed
SHA1

ecf99b4bae23c5a2da6866fe20ca86a1a3bec012
SHA256

087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0
SHA512

d903253529677775d8e58ed5405366ca5dbc04f781e99d5ba1d0ab38ff1c3e4296e4fa7b4042bd38b62eac6fb9c260d9b16e324294205d0cc4aceb6ec92d3228
SSDEEP

6144:cmOPKXTWo8aBPyT2PvEIOzalVa0vjntlcrjDpWgs/oiTrVYdHjKHnLXmfIEM:zSo8aBPk2nEhelRTtlc3D8gkoiL/

Score

10^/10

remcos logs persistence rat

Malware Config

Extracted

Family

remcos

Botnet

LOGS

23.19.87.242:1987

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chromes.exe
copy_folder
chromes
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QBX5A0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 4 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	chromes.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	chromes.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	chromes.exe

Loads dropped DLL 5 IoCs

pid	Process
3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
2152	chromes.exe
2152	chromes.exe
4488	chromes.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\skrvenes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Indaandingers\\Frugtfarverne.exe"	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBX5A0 = "\"C:\\ProgramData\\chromes\\chromes.exe\""	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBX5A0 = "\"C:\\ProgramData\\chromes\\chromes.exe\""	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\skrvenes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Indaandingers\\Frugtfarverne.exe"	chromes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBX5A0 = "\"C:\\ProgramData\\chromes\\chromes.exe\""	chromes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBX5A0 = "\"C:\\ProgramData\\chromes\\chromes.exe\""	chromes.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\basipterygium\checkmates\tapetsermestrenes\apologizer.Cos	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
File opened for modification	C:\Windows\SysWOW64\basipterygium\checkmates\tapetsermestrenes\apologizer.Cos	chromes.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1548	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
4488	chromes.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
1548	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
2152	chromes.exe
4488	chromes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 1548	3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	88
PID 2152 set thread context of 4488	2152	chromes.exe	91

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\zoometrical.bla	chromes.exe
File opened for modification	C:\Windows\resources\svrddanses.Bes203	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
File opened for modification	C:\Windows\resources\0409\zoometrical.bla	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
File opened for modification	C:\Windows\resources\svrddanses.Bes203	chromes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
2152	chromes.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 1548	3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	88
PID 3444 wrote to memory of 1548	3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	88
PID 3444 wrote to memory of 1548	3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	88
PID 3444 wrote to memory of 1548	3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	88
PID 3444 wrote to memory of 1548	3444	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	88
PID 1548 wrote to memory of 2152	1548	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	90
PID 1548 wrote to memory of 2152	1548	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	90
PID 1548 wrote to memory of 2152	1548	087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe	90
PID 2152 wrote to memory of 4488	2152	chromes.exe	91
PID 2152 wrote to memory of 4488	2152	chromes.exe	91
PID 2152 wrote to memory of 4488	2152	chromes.exe	91
PID 2152 wrote to memory of 4488	2152	chromes.exe	91
PID 2152 wrote to memory of 4488	2152	chromes.exe	91

C:\Users\Admin\AppData\Local\Temp\087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
"C:\Users\Admin\AppData\Local\Temp\087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
  "C:\Users\Admin\AppData\Local\Temp\087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe"
  2⤵
  - Checks QEMU agent file
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\ProgramData\chromes\chromes.exe
    "C:\ProgramData\chromes\chromes.exe"
    3⤵
    - Checks QEMU agent file
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\ProgramData\chromes\chromes.exe
      "C:\ProgramData\chromes\chromes.exe"
      4⤵
      Checks QEMU agent file
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chromes\chromes.exe

Filesize
338KB

MD5
df0dfed7d9bb8ffc5ac307ef14dd86ed

SHA1
ecf99b4bae23c5a2da6866fe20ca86a1a3bec012

SHA256
087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0

SHA512
d903253529677775d8e58ed5405366ca5dbc04f781e99d5ba1d0ab38ff1c3e4296e4fa7b4042bd38b62eac6fb9c260d9b16e324294205d0cc4aceb6ec92d3228

Download Submit
C:\ProgramData\chromes\chromes.exe

Filesize
338KB

MD5
df0dfed7d9bb8ffc5ac307ef14dd86ed

SHA1
ecf99b4bae23c5a2da6866fe20ca86a1a3bec012

SHA256
087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0

SHA512
d903253529677775d8e58ed5405366ca5dbc04f781e99d5ba1d0ab38ff1c3e4296e4fa7b4042bd38b62eac6fb9c260d9b16e324294205d0cc4aceb6ec92d3228

Download Submit
C:\ProgramData\chromes\chromes.exe

Filesize
338KB

MD5
df0dfed7d9bb8ffc5ac307ef14dd86ed

SHA1
ecf99b4bae23c5a2da6866fe20ca86a1a3bec012

SHA256
087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0

SHA512
d903253529677775d8e58ed5405366ca5dbc04f781e99d5ba1d0ab38ff1c3e4296e4fa7b4042bd38b62eac6fb9c260d9b16e324294205d0cc4aceb6ec92d3228

Download Submit
C:\ProgramData\chromes\chromes.exe

Filesize
338KB

MD5
df0dfed7d9bb8ffc5ac307ef14dd86ed

SHA1
ecf99b4bae23c5a2da6866fe20ca86a1a3bec012

SHA256
087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0

SHA512
d903253529677775d8e58ed5405366ca5dbc04f781e99d5ba1d0ab38ff1c3e4296e4fa7b4042bd38b62eac6fb9c260d9b16e324294205d0cc4aceb6ec92d3228

Download Submit
C:\Users\Admin\AppData\Local\Temp\Indaandingers\Frugtfarverne.exe

Filesize
338KB

MD5
9093053ece8864928d9857a096348413

SHA1
b5766029bff96e6ef585255122cc2aff40ba4a4e

SHA256
a23a851b31b7018e4822e18c46a302cd1c794c47df47a877a922074df5a904b2

SHA512
eae5412a749a1a6cf6cfbbe77e0e4ab6104f432339da6e0f552ffab029e743df78c9aebc755d90743b9d803cdcacf252aef073423c11d6a06b40ddd52705af52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4794.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4794.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Roaming\totaquina\praksisndringen\skuddag\Aqualungers\Rosinwood\Gages\Dother.Dri

Filesize
226KB

MD5
9f0f014db0749aca19fdf8bbe52d39ef

SHA1
1c226cea1ad77880045abbde9f846f6d84d1787f

SHA256
13c39ef6962a3c73ce40551366568d8b38c54dc6eb1b079647569c5ee6596c07

SHA512
dde9a209a3d0a7c99deaf5951754c8271194ec39bb38ad165b6cda5d3afe1d3a167adcc38c0c933ad9b98861f6a22eeabc09a3aff9e3951172690af3edc3c318

Download Submit
C:\Users\Admin\AppData\Roaming\totaquina\praksisndringen\skuddag\Premidnight\Cereals.Epi

Filesize
16KB

MD5
727641d4c4b10e37d73f3021ae9a2f15

SHA1
45f4d81ad8e55880d29274567e6c1a1a52c98e00

SHA256
3725e7823cee82fca73f82d29caf203d582e2ec7ffd5fe3f34b2d172368086ab

SHA512
ab206f5ab13f3f1f2ddb29b3c2d2df8908fc566c212c6c6228aeef371809728e65798e9da3a70e878336a53839348965572e566e0c3c4e725de2a9c75195c46e

Download Submit
memory/1548-150-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/1548-153-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1548-152-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1548-149-0x0000000077D68000-0x0000000077D69000-memory.dmp

Filesize
4KB

Download
memory/1548-148-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/1548-147-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1548-168-0x0000000001660000-0x000000000639D000-memory.dmp

Filesize
77.2MB

Download
memory/1548-179-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1548-157-0x0000000001660000-0x000000000639D000-memory.dmp

Filesize
77.2MB

Download
memory/2152-180-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3444-145-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/3444-146-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4488-182-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4488-183-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/4488-186-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4488-187-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4488-191-0x0000000001660000-0x000000000639D000-memory.dmp

Filesize
77.2MB

Download
memory/4488-193-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4488-194-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4488-195-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4488-196-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads