remcos | f165e942ae1568595ef4d01f46902860c2e759150880b558eb9fb80b96f7d132

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
19/11/2023, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2606592152733152221441264660922248507516180361457925655560773.exe
Size

633KB
MD5

b40522e839fb4f09709f9f31e56eecf6
SHA1

17d11d8e31d7d71cf61a418d5d229ecdcadfaec1
SHA256

ba765e695b9b4569789654836bfd121f24dbaf70d0f36ba77e8d4c72f314910d
SHA512

306c8d0a20feac90dc3cb0d9e1ae4d98f8820be9301bccc699ee226265e580eae720419844f37aa0bbda1487c7fcdef9e12f966d856a09ed1c74588de78bcd96
SSDEEP

12288:gUtIDPQAH17ZxUbUS8yFOHPpiu5rSyN/aJ52/5uuZZWWFcplkap:jIDPQAVdxIUNyFcxh/aJA/5ueZWWFUlZ

Score

10^/10

remcos vps3 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

VPS3

192.161.184.21:24053

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Rvp
mouse_option
false
mutex
VpSnEwxyz-DFPJ68
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dwnjqgup = "C:\\Users\\Admin\\AppData\\Roaming\\Dwnjqgup.exe"	2606592152733152221441264660922248507516180361457925655560773.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	2606592152733152221441264660922248507516180361457925655560773.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	2606592152733152221441264660922248507516180361457925655560773.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28
PID 1748 wrote to memory of 1860	1748	2606592152733152221441264660922248507516180361457925655560773.exe	28

C:\Users\Admin\AppData\Local\Temp\2606592152733152221441264660922248507516180361457925655560773.exe
"C:\Users\Admin\AppData\Local\Temp\2606592152733152221441264660922248507516180361457925655560773.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\2606592152733152221441264660922248507516180361457925655560773.exe
  C:\Users\Admin\AppData\Local\Temp\2606592152733152221441264660922248507516180361457925655560773.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Rvp\logs.dat

Filesize
144B

MD5
41915a2e937206df6481eed04055f0f8

SHA1
31ba3619b49dbd3a547fc5a442fa83adb0e1978f

SHA256
d1e55caec2cfb04441acfb39ae7aca51bc97a593fdb03ccbb963f666a3de105c

SHA512
6ffe75fd70eaf3ab825dfcfb9fd7c7397350e144af57a9cdb76f7f68d62cd8c63a00a7dae9ee5b129df25f83bf33beb681b3d9fb737b7f098a60df195d1db723

Download Submit
memory/1748-23-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1748-0-0x0000000001320000-0x00000000013C4000-memory.dmp

Filesize
656KB

Download
memory/1748-3-0x00000000009A0000-0x0000000000A24000-memory.dmp

Filesize
528KB

Download
memory/1748-4-0x0000000000C80000-0x0000000000D06000-memory.dmp

Filesize
536KB

Download
memory/1748-5-0x0000000000D00000-0x0000000000D6C000-memory.dmp

Filesize
432KB

Download
memory/1748-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1748-7-0x0000000000B20000-0x0000000000B6C000-memory.dmp

Filesize
304KB

Download
memory/1748-6-0x0000000004BE0000-0x0000000004C4C000-memory.dmp

Filesize
432KB

Download
memory/1748-2-0x0000000001290000-0x00000000012D0000-memory.dmp

Filesize
256KB

Download
memory/1860-26-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-30-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-16-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-17-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-18-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-15-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1860-21-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-13-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-11-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-24-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-9-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-29-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-14-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-35-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-37-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-28-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-43-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-49-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-50-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-55-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-56-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-61-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-63-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1860-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads