remcos | 7c9a232eaf99f7fbb83cb964272b889f0e5b27176c556394f317c6dce3745f9b

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-08-2023 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER.rtf
Size

73KB
MD5

c01c96ba7765c7b8190bb76aab9d647f
SHA1

b142abe8075c13fe1476d095a2980f67ebd4d699
SHA256

7c9a232eaf99f7fbb83cb964272b889f0e5b27176c556394f317c6dce3745f9b
SHA512

282f8305acdf70a20a437d8fa67fd4674b9e2d62f81ff8cf9f55c1ff7e31028068b9b22a0a7b989881bfe6a328c4c3abcf11df3b699a0f2ae74ea1a718e3566a
SSDEEP

768:7wAbZSibMX9gRWjB4HWvfSKuzIaQ3eZ9cB:7wAlRC4HWvMr9w

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

96.44.132.182:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9OIUSL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2448	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2088	remcokmgf6.exe
2744	remcokmgf6.exe

Loads dropped DLL 1 IoCs

pid	Process
2448	EQNEDT32.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2744	2088	remcokmgf6.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2448	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2224	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2224	WINWORD.EXE
2224	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2088	2448	EQNEDT32.EXE	30
PID 2448 wrote to memory of 2088	2448	EQNEDT32.EXE	30
PID 2448 wrote to memory of 2088	2448	EQNEDT32.EXE	30
PID 2448 wrote to memory of 2088	2448	EQNEDT32.EXE	30
PID 2224 wrote to memory of 2864	2224	WINWORD.EXE	35
PID 2224 wrote to memory of 2864	2224	WINWORD.EXE	35
PID 2224 wrote to memory of 2864	2224	WINWORD.EXE	35
PID 2224 wrote to memory of 2864	2224	WINWORD.EXE	35
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36
PID 2088 wrote to memory of 2744	2088	remcokmgf6.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2864

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Roaming\remcokmgf6.exe
  "C:\Users\Admin\AppData\Roaming\remcokmgf6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\remcokmgf6.exe
    "C:\Users\Admin\AppData\Roaming\remcokmgf6.exe"
    3⤵
    - Executes dropped EXE
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
2fd3c7d4abc2b16e78d2420fd9843529

SHA1
8e3183b04754431274f1404234878a5ac8f4e179

SHA256
0dc973d342c699d4d051de5340d63b4a37731e40b1500afef62f7dd945398e62

SHA512
c71706eeccb5ecde4db2aea37cd03594902a0d6b2a491b9381ca38e67decb7aff44201248d76677751064b3645580b306cc10b875ec060a5e7b2db7f7ed2aed7

Download Submit
C:\Users\Admin\AppData\Roaming\remcokmgf6.exe

Filesize
876KB

MD5
b4c525fae9a1e272738324e338524fd0

SHA1
d8b810bf7ea6dda658c548ccfff3652ac95d0157

SHA256
c7570dd7a18ccebbb0533040da2cedd7614212dd0c5401800db2bf420e4b16cf

SHA512
31d57948e0c26b742ae518fe7e0c169419ca79ec15eb911a8464f57b0b4f3bfc35d4c76de857a90f3e438bf0d176f5a9ac2aa8c383cf0c511c328402889f6396

Download Submit
C:\Users\Admin\AppData\Roaming\remcokmgf6.exe

Filesize
876KB

MD5
b4c525fae9a1e272738324e338524fd0

SHA1
d8b810bf7ea6dda658c548ccfff3652ac95d0157

SHA256
c7570dd7a18ccebbb0533040da2cedd7614212dd0c5401800db2bf420e4b16cf

SHA512
31d57948e0c26b742ae518fe7e0c169419ca79ec15eb911a8464f57b0b4f3bfc35d4c76de857a90f3e438bf0d176f5a9ac2aa8c383cf0c511c328402889f6396

Download Submit
C:\Users\Admin\AppData\Roaming\remcokmgf6.exe

Filesize
876KB

MD5
b4c525fae9a1e272738324e338524fd0

SHA1
d8b810bf7ea6dda658c548ccfff3652ac95d0157

SHA256
c7570dd7a18ccebbb0533040da2cedd7614212dd0c5401800db2bf420e4b16cf

SHA512
31d57948e0c26b742ae518fe7e0c169419ca79ec15eb911a8464f57b0b4f3bfc35d4c76de857a90f3e438bf0d176f5a9ac2aa8c383cf0c511c328402889f6396

Download Submit
C:\Users\Admin\AppData\Roaming\remcokmgf6.exe

Filesize
876KB

MD5
b4c525fae9a1e272738324e338524fd0

SHA1
d8b810bf7ea6dda658c548ccfff3652ac95d0157

SHA256
c7570dd7a18ccebbb0533040da2cedd7614212dd0c5401800db2bf420e4b16cf

SHA512
31d57948e0c26b742ae518fe7e0c169419ca79ec15eb911a8464f57b0b4f3bfc35d4c76de857a90f3e438bf0d176f5a9ac2aa8c383cf0c511c328402889f6396

Download Submit
\Users\Admin\AppData\Roaming\remcokmgf6.exe

Filesize
876KB

MD5
b4c525fae9a1e272738324e338524fd0

SHA1
d8b810bf7ea6dda658c548ccfff3652ac95d0157

SHA256
c7570dd7a18ccebbb0533040da2cedd7614212dd0c5401800db2bf420e4b16cf

SHA512
31d57948e0c26b742ae518fe7e0c169419ca79ec15eb911a8464f57b0b4f3bfc35d4c76de857a90f3e438bf0d176f5a9ac2aa8c383cf0c511c328402889f6396

Download Submit
memory/2088-81-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2088-82-0x0000000008120000-0x00000000081D8000-memory.dmp

Filesize
736KB

Download
memory/2088-69-0x00000000008C0000-0x00000000009A2000-memory.dmp

Filesize
904KB

Download
memory/2088-102-0x000000006B5D0000-0x000000006BCBE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-67-0x000000006B5D0000-0x000000006BCBE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-72-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2088-77-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2088-78-0x000000006B5D0000-0x000000006BCBE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-79-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2224-53-0x000000002F870000-0x000000002F9CD000-memory.dmp

Filesize
1.4MB

Download
memory/2224-71-0x000000007145D000-0x0000000071468000-memory.dmp

Filesize
44KB

Download
memory/2224-134-0x000000007145D000-0x0000000071468000-memory.dmp

Filesize
44KB

Download
memory/2224-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2224-55-0x000000007145D000-0x0000000071468000-memory.dmp

Filesize
44KB

Download
memory/2224-70-0x000000002F870000-0x000000002F9CD000-memory.dmp

Filesize
1.4MB

Download
memory/2224-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2744-90-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-108-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-94-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-98-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-88-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-86-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-101-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-104-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-103-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-105-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-106-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-107-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-92-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-111-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-113-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-114-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-115-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-85-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-84-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-135-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-136-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-137-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2744-138-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download