remcos | ce39a137b9ff86bf23d7c62480a804e8d25c8b9154e9792b669374ac7f92e192

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheque copy.exe
Size

1.0MB
MD5

23a617011a3d71135f895ed5fd643c6e
SHA1

15b7efb6dfa050ee1892a1112329ef360bc1317c
SHA256

ce39a137b9ff86bf23d7c62480a804e8d25c8b9154e9792b669374ac7f92e192
SHA512

0e7f3fe27c6ebd66a93291349f91db1e30dc88f0bc96064a935f6e5f42b93e6967e8a9101fae14a9e7d18224dcffb1e8402dab451f16e465550d960970e1fcad
SSDEEP

24576:tDDxs6gnAsLzJ6Wy3V6yANOVofLAw8meQcOQezIcLUCs:tDNs6gnAsL9O+gCfLAwdcOQYI

Score

10^/10

remcos fun rat

Malware Config

Extracted

Family

remcos

Botnet

fun

194.147.140.194:1998

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-62Q8OD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 2268	3052	Cheque copy.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3052	Cheque copy.exe
3052	Cheque copy.exe
3052	Cheque copy.exe
3052	Cheque copy.exe
3052	Cheque copy.exe
3052	Cheque copy.exe
3052	Cheque copy.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	Cheque copy.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2268	Cheque copy.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2864	3052	Cheque copy.exe	30
PID 3052 wrote to memory of 2864	3052	Cheque copy.exe	30
PID 3052 wrote to memory of 2864	3052	Cheque copy.exe	30
PID 3052 wrote to memory of 2864	3052	Cheque copy.exe	30
PID 3052 wrote to memory of 2872	3052	Cheque copy.exe	32
PID 3052 wrote to memory of 2872	3052	Cheque copy.exe	32
PID 3052 wrote to memory of 2872	3052	Cheque copy.exe	32
PID 3052 wrote to memory of 2872	3052	Cheque copy.exe	32
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34
PID 3052 wrote to memory of 2268	3052	Cheque copy.exe	34

C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe
"C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SzKneWgZlzw.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzKneWgZlzw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10E2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c05b4328707e5cd1bcc53759de66ba54

SHA1
aa18f1e194af65fc900ac38574fb462cb8702c9c

SHA256
3153e8a8df3385acc52c3b01d15fb5899d688bef500141266d7eeefcc2fb1b6a

SHA512
dc83f9d6358ead4284e1b814e34078266cb605717a02d749e070e8d5657104f4ac25ac1827eb86efd1726b0a82fd3ed79172ae166ee747dec40991195c21c095

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp10E2.tmp

Filesize
1KB

MD5
87ef0e44e18cd544eb4a625decfa4701

SHA1
51a2e859e2cb1b32db46f18682e9df1ac2f3b35c

SHA256
124ea08e5164a8fe4c3ca1ee265d1675e3a5038a6b1769f534ef2c10600e51b7

SHA512
3b979ddd4ee391b7889e639e3dabcdea9d8972f74ea0261accc5203e8bead99bd8c29165db1fc3e9e407452217814471bcf95697a3979f4668d0a9ab15a9f8e9

Download Submit
memory/2268-28-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-31-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-73-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-72-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-65-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-64-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-57-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-15-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-17-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-19-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-20-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-21-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2268-24-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-56-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-27-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-49-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-48-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-47-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-34-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-35-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-40-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2268-38-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2864-37-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2864-39-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2864-36-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2864-42-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2864-45-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/3052-1-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/3052-4-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/3052-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/3052-0-0x0000000000E60000-0x0000000000F66000-memory.dmp

Filesize
1.0MB

Download
memory/3052-26-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/3052-2-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/3052-8-0x000000000B040000-0x000000000B0F8000-memory.dmp

Filesize
736KB

Download
memory/3052-7-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/3052-6-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/3052-5-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download