remcos | 48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c

Analysis

max time kernel
299s
max time network
277s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/11/2023, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe
Size

5.2MB
MD5

7797bec3d8ef3cb453c3846b34d35c71
SHA1

71d7a274f53ec70b21139f393173f573255e9cf0
SHA256

48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c
SHA512

90043c661b80698b6e88339f89446c286c03d845b66d79231100fc27ec754e26632a7f67790445bf67b1e6061a42419b38af8342b86baf062a92d19114a61308
SSDEEP

98304:FpWZZdfpykIRIcAF0MTy7wEEOnXFC4ZuTEbXTKgidggLhcj:nWZnfHfTF0MGEkFFigY9i

Score

10^/10

remcos atilla persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Atilla

185.157.162.241:1303

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
GoogleChromex64.exe
copy_folder
GoogleChrome
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chromelogs
mouse_option
false
mutex
-91PO5X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	module.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\-91PO5X = "\"C:\\ProgramData\\GoogleChrome\\GoogleChromex64.exe\""	module.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	GoogleChromex64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\-91PO5X = "\"C:\\ProgramData\\GoogleChrome\\GoogleChromex64.exe\""	GoogleChromex64.exe

Executes dropped EXE 2 IoCs

pid	Process
528	module.exe
2756	GoogleChromex64.exe

Loads dropped DLL 2 IoCs

pid	Process
528	module.exe
528	module.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\-91PO5X = "\"C:\\ProgramData\\GoogleChrome\\GoogleChromex64.exe\""	module.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\-91PO5X = "\"C:\\ProgramData\\GoogleChrome\\GoogleChromex64.exe\""	module.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\-91PO5X = "\"C:\\ProgramData\\GoogleChrome\\GoogleChromex64.exe\""	GoogleChromex64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\-91PO5X = "\"C:\\ProgramData\\GoogleChrome\\GoogleChromex64.exe\""	GoogleChromex64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe
1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe
2264	powershell.exe
2776	powershell.exe
2740	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	GoogleChromex64.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2264	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	28
PID 1924 wrote to memory of 2264	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	28
PID 1924 wrote to memory of 2264	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	28
PID 1924 wrote to memory of 2776	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	30
PID 1924 wrote to memory of 2776	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	30
PID 1924 wrote to memory of 2776	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	30
PID 1924 wrote to memory of 2740	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	32
PID 1924 wrote to memory of 2740	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	32
PID 1924 wrote to memory of 2740	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	32
PID 1924 wrote to memory of 528	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	34
PID 1924 wrote to memory of 528	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	34
PID 1924 wrote to memory of 528	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	34
PID 1924 wrote to memory of 528	1924	48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe	34
PID 528 wrote to memory of 2756	528	module.exe	35
PID 528 wrote to memory of 2756	528	module.exe	35
PID 528 wrote to memory of 2756	528	module.exe	35
PID 528 wrote to memory of 2756	528	module.exe	35

C:\Users\Admin\AppData\Local\Temp\48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe
"C:\Users\Admin\AppData\Local\Temp\48abecd92c81072243a7636f1936e8584df8375f052e4d5a20847f56b174d69c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'D:\'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'F:\'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\module.exe
  "C:\Users\Admin\AppData\Local\Temp\module.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\ProgramData\GoogleChrome\GoogleChromex64.exe
    "C:\ProgramData\GoogleChrome\GoogleChromex64.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GoogleChrome\GoogleChromex64.exe

Filesize
483KB

MD5
4b65708a39b3cdf5629e87a60184a7e4

SHA1
62458c0910bbbab7c5f82f5ebf3e9c8672eef7af

SHA256
a5611eb6e5da707f143759b4aac568f0542c3ba9bcb88ee8a95f5a17ae740f7c

SHA512
722a2e9f98b99968242647d98a266426b3de0aab790c9b33dc26c2f0dd2f45555264c261c3ab9229798b18653862a2013012feb4888025b3db03aa14607b90a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\module.exe

Filesize
483KB

MD5
4b65708a39b3cdf5629e87a60184a7e4

SHA1
62458c0910bbbab7c5f82f5ebf3e9c8672eef7af

SHA256
a5611eb6e5da707f143759b4aac568f0542c3ba9bcb88ee8a95f5a17ae740f7c

SHA512
722a2e9f98b99968242647d98a266426b3de0aab790c9b33dc26c2f0dd2f45555264c261c3ab9229798b18653862a2013012feb4888025b3db03aa14607b90a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\module.exe

Filesize
483KB

MD5
4b65708a39b3cdf5629e87a60184a7e4

SHA1
62458c0910bbbab7c5f82f5ebf3e9c8672eef7af

SHA256
a5611eb6e5da707f143759b4aac568f0542c3ba9bcb88ee8a95f5a17ae740f7c

SHA512
722a2e9f98b99968242647d98a266426b3de0aab790c9b33dc26c2f0dd2f45555264c261c3ab9229798b18653862a2013012feb4888025b3db03aa14607b90a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\module.exe

Filesize
483KB

MD5
4b65708a39b3cdf5629e87a60184a7e4

SHA1
62458c0910bbbab7c5f82f5ebf3e9c8672eef7af

SHA256
a5611eb6e5da707f143759b4aac568f0542c3ba9bcb88ee8a95f5a17ae740f7c

SHA512
722a2e9f98b99968242647d98a266426b3de0aab790c9b33dc26c2f0dd2f45555264c261c3ab9229798b18653862a2013012feb4888025b3db03aa14607b90a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
24fbdcd618e2f6e734826ac230c672e3

SHA1
ad7cd0217967ab92b196ad47d25a5ca83bd747ad

SHA256
da2525a4d91f1f4c6d722ecad808d69505cb66018add66c7fe7ccb90766fe8c1

SHA512
afe2399a8d030a92355260ca2bc4d23450e8c902b3208af36a7b776c29449d1509cf69cd824423a44bb0815bdffaced357633ca8b092c6cacac91dd3890b34f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
24fbdcd618e2f6e734826ac230c672e3

SHA1
ad7cd0217967ab92b196ad47d25a5ca83bd747ad

SHA256
da2525a4d91f1f4c6d722ecad808d69505cb66018add66c7fe7ccb90766fe8c1

SHA512
afe2399a8d030a92355260ca2bc4d23450e8c902b3208af36a7b776c29449d1509cf69cd824423a44bb0815bdffaced357633ca8b092c6cacac91dd3890b34f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VLVXV3V29LCS90NQSXAQ.temp

Filesize
7KB

MD5
24fbdcd618e2f6e734826ac230c672e3

SHA1
ad7cd0217967ab92b196ad47d25a5ca83bd747ad

SHA256
da2525a4d91f1f4c6d722ecad808d69505cb66018add66c7fe7ccb90766fe8c1

SHA512
afe2399a8d030a92355260ca2bc4d23450e8c902b3208af36a7b776c29449d1509cf69cd824423a44bb0815bdffaced357633ca8b092c6cacac91dd3890b34f3

Download Submit
\ProgramData\GoogleChrome\GoogleChromex64.exe

Filesize
483KB

MD5
4b65708a39b3cdf5629e87a60184a7e4

SHA1
62458c0910bbbab7c5f82f5ebf3e9c8672eef7af

SHA256
a5611eb6e5da707f143759b4aac568f0542c3ba9bcb88ee8a95f5a17ae740f7c

SHA512
722a2e9f98b99968242647d98a266426b3de0aab790c9b33dc26c2f0dd2f45555264c261c3ab9229798b18653862a2013012feb4888025b3db03aa14607b90a5

Download Submit
\ProgramData\GoogleChrome\GoogleChromex64.exe

Filesize
483KB

MD5
4b65708a39b3cdf5629e87a60184a7e4

SHA1
62458c0910bbbab7c5f82f5ebf3e9c8672eef7af

SHA256
a5611eb6e5da707f143759b4aac568f0542c3ba9bcb88ee8a95f5a17ae740f7c

SHA512
722a2e9f98b99968242647d98a266426b3de0aab790c9b33dc26c2f0dd2f45555264c261c3ab9229798b18653862a2013012feb4888025b3db03aa14607b90a5

Download Submit
memory/1924-23-0x000007FEFD030000-0x000007FEFD032000-memory.dmp

Filesize
8KB

Download
memory/1924-11-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/1924-20-0x00000000772C0000-0x00000000772C2000-memory.dmp

Filesize
8KB

Download
memory/1924-1-0x000000013F350000-0x000000013F88B000-memory.dmp

Filesize
5.2MB

Download
memory/1924-25-0x000007FEFD030000-0x000007FEFD032000-memory.dmp

Filesize
8KB

Download
memory/1924-28-0x000007FEFD040000-0x000007FEFD042000-memory.dmp

Filesize
8KB

Download
memory/1924-30-0x000007FEFD040000-0x000007FEFD042000-memory.dmp

Filesize
8KB

Download
memory/1924-18-0x00000000772C0000-0x00000000772C2000-memory.dmp

Filesize
8KB

Download
memory/1924-69-0x000000013F350000-0x000000013F88B000-memory.dmp

Filesize
5.2MB

Download
memory/1924-3-0x0000000077290000-0x0000000077292000-memory.dmp

Filesize
8KB

Download
memory/1924-13-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/1924-10-0x00000000772A0000-0x00000000772A2000-memory.dmp

Filesize
8KB

Download
memory/1924-6-0x00000000772A0000-0x00000000772A2000-memory.dmp

Filesize
8KB

Download
memory/1924-77-0x000000013F350000-0x000000013F88B000-memory.dmp

Filesize
5.2MB

Download
memory/1924-8-0x00000000772A0000-0x00000000772A2000-memory.dmp

Filesize
8KB

Download
memory/1924-5-0x0000000077290000-0x0000000077292000-memory.dmp

Filesize
8KB

Download
memory/1924-16-0x00000000772C0000-0x00000000772C2000-memory.dmp

Filesize
8KB

Download
memory/1924-15-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/1924-0-0x0000000077290000-0x0000000077292000-memory.dmp

Filesize
8KB

Download
memory/2264-35-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-43-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-42-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2264-41-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2264-40-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2264-39-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-38-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2264-36-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2264-37-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2740-66-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2740-64-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2740-65-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-63-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2740-67-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2740-68-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-62-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-54-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-55-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/2776-53-0x00000000029DB000-0x0000000002A42000-memory.dmp

Filesize
412KB

Download
memory/2776-50-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2776-52-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2776-51-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-49-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2776-90-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download