remcos | ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/08/2023, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER 0749.exe
Size

981KB
MD5

03822cedfe4d336fb7b8bab0e101ae7f
SHA1

4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e
SHA256

ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310
SHA512

cb0f8918e21e1c3e7748647ccfd088f96bfed02e5e84e8e98c0b0716d3abe69e8a9fb33562845818c8164e25f61d3f6a852c53e0404c55d5e01ba50072c04079
SSDEEP

24576:j1g++PA0agXAK0QyU7QWRWrfAWC0Jjm8T5:jU40JT0QnsdC09m8F

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

212.193.30.230:3330

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9YQE6U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
268	remcos.exe
2772	remcos.exe
3012	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
2816	ORDER 0749.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-9YQE6U = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	ORDER 0749.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-9YQE6U = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 2816	2256	ORDER 0749.exe	34
PID 268 set thread context of 3012	268	remcos.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1872	schtasks.exe
2920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2256	ORDER 0749.exe
2256	ORDER 0749.exe
2968	powershell.exe
268	remcos.exe
268	remcos.exe
268	remcos.exe
2584	powershell.exe
268	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	ORDER 0749.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	268	remcos.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3012	remcos.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2968	2256	ORDER 0749.exe	30
PID 2256 wrote to memory of 2968	2256	ORDER 0749.exe	30
PID 2256 wrote to memory of 2968	2256	ORDER 0749.exe	30
PID 2256 wrote to memory of 2968	2256	ORDER 0749.exe	30
PID 2256 wrote to memory of 2920	2256	ORDER 0749.exe	32
PID 2256 wrote to memory of 2920	2256	ORDER 0749.exe	32
PID 2256 wrote to memory of 2920	2256	ORDER 0749.exe	32
PID 2256 wrote to memory of 2920	2256	ORDER 0749.exe	32
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2256 wrote to memory of 2816	2256	ORDER 0749.exe	34
PID 2816 wrote to memory of 268	2816	ORDER 0749.exe	35
PID 2816 wrote to memory of 268	2816	ORDER 0749.exe	35
PID 2816 wrote to memory of 268	2816	ORDER 0749.exe	35
PID 2816 wrote to memory of 268	2816	ORDER 0749.exe	35
PID 268 wrote to memory of 2584	268	remcos.exe	36
PID 268 wrote to memory of 2584	268	remcos.exe	36
PID 268 wrote to memory of 2584	268	remcos.exe	36
PID 268 wrote to memory of 2584	268	remcos.exe	36
PID 268 wrote to memory of 1872	268	remcos.exe	37
PID 268 wrote to memory of 1872	268	remcos.exe	37
PID 268 wrote to memory of 1872	268	remcos.exe	37
PID 268 wrote to memory of 1872	268	remcos.exe	37
PID 268 wrote to memory of 2772	268	remcos.exe	40
PID 268 wrote to memory of 2772	268	remcos.exe	40
PID 268 wrote to memory of 2772	268	remcos.exe	40
PID 268 wrote to memory of 2772	268	remcos.exe	40
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41
PID 268 wrote to memory of 3012	268	remcos.exe	41

C:\Users\Admin\AppData\Local\Temp\ORDER 0749.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER 0749.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GHhUHN.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GHhUHN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp944.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\ORDER 0749.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER 0749.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GHhUHN.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GHhUHN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp957C.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1872
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      PID:2772
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
09f0297fc5d7a0e5f26186f1f21f05d7

SHA1
a37429b9977ac853ac114c2d66cdcf619ec236ad

SHA256
ed854c14b25df42ead45ee485151dd7ff1f4a08806819ff3067ce1a0fb9b14a1

SHA512
09fd78392875870bde0eb82a66ccb32fcee9915018800c50c22c4c7f44acea95590742417638363cb5a1fc553bbf050d1f6cb40ecfacb684443bf25f05ed04fb

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
981KB

MD5
03822cedfe4d336fb7b8bab0e101ae7f

SHA1
4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e

SHA256
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

SHA512
cb0f8918e21e1c3e7748647ccfd088f96bfed02e5e84e8e98c0b0716d3abe69e8a9fb33562845818c8164e25f61d3f6a852c53e0404c55d5e01ba50072c04079

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
981KB

MD5
03822cedfe4d336fb7b8bab0e101ae7f

SHA1
4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e

SHA256
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

SHA512
cb0f8918e21e1c3e7748647ccfd088f96bfed02e5e84e8e98c0b0716d3abe69e8a9fb33562845818c8164e25f61d3f6a852c53e0404c55d5e01ba50072c04079

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
981KB

MD5
03822cedfe4d336fb7b8bab0e101ae7f

SHA1
4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e

SHA256
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

SHA512
cb0f8918e21e1c3e7748647ccfd088f96bfed02e5e84e8e98c0b0716d3abe69e8a9fb33562845818c8164e25f61d3f6a852c53e0404c55d5e01ba50072c04079

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
981KB

MD5
03822cedfe4d336fb7b8bab0e101ae7f

SHA1
4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e

SHA256
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

SHA512
cb0f8918e21e1c3e7748647ccfd088f96bfed02e5e84e8e98c0b0716d3abe69e8a9fb33562845818c8164e25f61d3f6a852c53e0404c55d5e01ba50072c04079

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
981KB

MD5
03822cedfe4d336fb7b8bab0e101ae7f

SHA1
4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e

SHA256
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

SHA512
cb0f8918e21e1c3e7748647ccfd088f96bfed02e5e84e8e98c0b0716d3abe69e8a9fb33562845818c8164e25f61d3f6a852c53e0404c55d5e01ba50072c04079

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp944.tmp

Filesize
1KB

MD5
0a74cc9799a2067cdf398faba5441a14

SHA1
c44c18d84e0aa051c74e390bc4c9bfe9cdd7a4b5

SHA256
0866a80e9c87e47cffc7a2c1c39b46f5650a681e4159467001541b13a2ac6bcd

SHA512
41232ef24d1f3b2030a7f3904bc3195d450c4ee2f9ea485863ee61d3e37ce7e47c5398f5be6dd2f28ba7404a11c426c6af0643da966f4e791bcea893968a7561

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp957C.tmp

Filesize
1KB

MD5
0a74cc9799a2067cdf398faba5441a14

SHA1
c44c18d84e0aa051c74e390bc4c9bfe9cdd7a4b5

SHA256
0866a80e9c87e47cffc7a2c1c39b46f5650a681e4159467001541b13a2ac6bcd

SHA512
41232ef24d1f3b2030a7f3904bc3195d450c4ee2f9ea485863ee61d3e37ce7e47c5398f5be6dd2f28ba7404a11c426c6af0643da966f4e791bcea893968a7561

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
61f376b32f78f78057dee27c796a6f03

SHA1
83140617c2e62c048c05e860a2794d1c3c0bdf3a

SHA256
298173c36726bba647418b243904cf91ce9998c4676ffaad2482e6a75597c39f

SHA512
8dafc8e17743fcd6f8a6e4695262ad61e5812c26e36c7202ccd59e3d70237fbb63c341d9484b074440104d5077c6c54f9220e91f3380a4cd5bbae87192edf8a3

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
981KB

MD5
03822cedfe4d336fb7b8bab0e101ae7f

SHA1
4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e

SHA256
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

SHA512
cb0f8918e21e1c3e7748647ccfd088f96bfed02e5e84e8e98c0b0716d3abe69e8a9fb33562845818c8164e25f61d3f6a852c53e0404c55d5e01ba50072c04079

Download Submit
memory/268-100-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/268-106-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/268-142-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/268-101-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/268-99-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/268-98-0x0000000001220000-0x000000000131C000-memory.dmp

Filesize
1008KB

Download
memory/268-107-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/2256-56-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/2256-86-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-61-0x0000000005500000-0x00000000055B8000-memory.dmp

Filesize
736KB

Download
memory/2256-60-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/2256-59-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/2256-58-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-57-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2256-55-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-54-0x00000000010E0000-0x00000000011DC000-memory.dmp

Filesize
1008KB

Download
memory/2584-147-0x000000006F440000-0x000000006F9EB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-121-0x000000006F440000-0x000000006F9EB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-132-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2584-130-0x000000006F440000-0x000000006F9EB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-123-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2816-73-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-79-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-77-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-75-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-87-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-71-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-70-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-69-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-67-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-97-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-85-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2968-103-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-104-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2968-105-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-102-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-150-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-152-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-148-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-144-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-149-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-136-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-151-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-146-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-155-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-159-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-164-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-165-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-172-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3012-173-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download