remcos | ce924608d3184bd96670d0b1c87b3b9dd1898cd00548f5c64eb09dbd36e708b4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Browserchannel_test.exe
Size

1.1MB
MD5

18400a6db4000c6776de3a74f9569fc9
SHA1

902d038140502d776db62673ee28a68f2ab0bf63
SHA256

ce924608d3184bd96670d0b1c87b3b9dd1898cd00548f5c64eb09dbd36e708b4
SHA512

172d17fb9d4913b54c41d07958623fb292f39721165138d03d7462325cb294686cf7b163304cb47a4098361b102a475a578fabb77c4cd73b3b4bf61c34dd96d7
SSDEEP

24576:i1FvXWeilJJzhVN/XAfsCTv3wbodhY4T6XBDuOIAxsTbtC2:i1tXWeilJJdVN/AUifY4T6XDxCZl

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-OPX7KW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3936 created 3108	3936	Browserchannel_test.exe	46

Executes dropped EXE 1 IoCs

pid	Process
4836	atkexComSvc.exe

Loads dropped DLL 3 IoCs

pid	Process
4836	atkexComSvc.exe
4836	atkexComSvc.exe
4836	atkexComSvc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4836 set thread context of 1684	4836	atkexComSvc.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3936	Browserchannel_test.exe
3936	Browserchannel_test.exe
4836	atkexComSvc.exe
4836	atkexComSvc.exe
1684	cmd.exe
1684	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4836	atkexComSvc.exe
1684	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 4836	3936	Browserchannel_test.exe	85
PID 3936 wrote to memory of 4836	3936	Browserchannel_test.exe	85
PID 3936 wrote to memory of 4836	3936	Browserchannel_test.exe	85
PID 4836 wrote to memory of 1684	4836	atkexComSvc.exe	90
PID 4836 wrote to memory of 1684	4836	atkexComSvc.exe	90
PID 4836 wrote to memory of 1684	4836	atkexComSvc.exe	90
PID 4836 wrote to memory of 1684	4836	atkexComSvc.exe	90
PID 1684 wrote to memory of 2212	1684	cmd.exe	100
PID 1684 wrote to memory of 2212	1684	cmd.exe	100
PID 1684 wrote to memory of 2212	1684	cmd.exe	100
PID 1684 wrote to memory of 2212	1684	cmd.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3108
- C:\Users\Admin\AppData\Local\Temp\Browserchannel_test.exe
  "C:\Users\Admin\AppData\Local\Temp\Browserchannel_test.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3936
- C:\Users\Admin\AppData\Roaming\updatebgv5\atkexComSvc.exe
  C:\Users\Admin\AppData\Roaming\updatebgv5\atkexComSvc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\273b0aa9

Filesize
1.1MB

MD5
404f7c0fc916c82a73cb956fbd6cdfb1

SHA1
629c6956d6d57d09382a18794fb333d0cc138d2e

SHA256
84093d8c5078a3fbbf7d39a0720f56bc2e2f8fb3a0009901a09f89a62ac14540

SHA512
1fe39071e8f5f3f89a303f7ab5fe1d01945125263e3d4db7b25f345e7735d5e4b5a5ef339169c7985941295e5d409ca9025a8e26a8c1e4625e1c2a0dbf7abb5c

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\ASUS_WMI.dll

Filesize
224KB

MD5
3f109a02c8d642e8003a1188df40d861

SHA1
f723f38471b8872443aa9177eef12a96c02cc84a

SHA256
6523b44da6fa7078c7795b7705498e487b0625e28e15aec2d270c6e4a909b5a5

SHA512
023696a52d48c465ab62e3ee754b445093b8a0ed0a232b430ce1f0db3dae382c9e1fba210c2b04d1018cc29bfb69c546976912f3939a76e98bcb792ae57af0da

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\ASUS_WMI.dll

Filesize
224KB

MD5
3f109a02c8d642e8003a1188df40d861

SHA1
f723f38471b8872443aa9177eef12a96c02cc84a

SHA256
6523b44da6fa7078c7795b7705498e487b0625e28e15aec2d270c6e4a909b5a5

SHA512
023696a52d48c465ab62e3ee754b445093b8a0ed0a232b430ce1f0db3dae382c9e1fba210c2b04d1018cc29bfb69c546976912f3939a76e98bcb792ae57af0da

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\ATKEX.dll

Filesize
84KB

MD5
e68562f63265e1a70881446b4b9dc455

SHA1
da16ef9367bde3ce892b1a0e33bc179d8acdceb3

SHA256
c8b16f1c6883a23021da37d9116a757f971fe919d64ef8f9dba17a7d8dd39adb

SHA512
6bedea10a5b50f6e93e8566c18970c8ad1b8dfc7d5961069fc5d5216dcdded0b2a2ad8dd91f4ad80f8604d573a343c126df238ee5c448cdc26b899077957a674

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\ATKEX.dll

Filesize
84KB

MD5
e68562f63265e1a70881446b4b9dc455

SHA1
da16ef9367bde3ce892b1a0e33bc179d8acdceb3

SHA256
c8b16f1c6883a23021da37d9116a757f971fe919d64ef8f9dba17a7d8dd39adb

SHA512
6bedea10a5b50f6e93e8566c18970c8ad1b8dfc7d5961069fc5d5216dcdded0b2a2ad8dd91f4ad80f8604d573a343c126df238ee5c448cdc26b899077957a674

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\AsIO.dll

Filesize
120KB

MD5
46e6a0c97132a518620763caff0da368

SHA1
e39db0fb68e2df5a2d068c9c29f1e0c464aa66f2

SHA256
08cb42002f6b659182088f9756483627d0b4ebb9ed32eca89239ee626d1c1ce4

SHA512
117b8a042cd0004ece1b64c0222956c5e6f54c409e394dbbf72b293374d1abcb222a789067626cce3dc198ad8a3a70e2b73fab7dec71c82341970377fca80066

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\AsIO.dll

Filesize
120KB

MD5
46e6a0c97132a518620763caff0da368

SHA1
e39db0fb68e2df5a2d068c9c29f1e0c464aa66f2

SHA256
08cb42002f6b659182088f9756483627d0b4ebb9ed32eca89239ee626d1c1ce4

SHA512
117b8a042cd0004ece1b64c0222956c5e6f54c409e394dbbf72b293374d1abcb222a789067626cce3dc198ad8a3a70e2b73fab7dec71c82341970377fca80066

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\atkexComSvc.exe

Filesize
446KB

MD5
485008b43f0edceba0e0d3ca04bc1c1a

SHA1
55ae8f105af415bb763d1b87f6572f078052877c

SHA256
12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10

SHA512
402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\atkexComSvc.exe

Filesize
446KB

MD5
485008b43f0edceba0e0d3ca04bc1c1a

SHA1
55ae8f105af415bb763d1b87f6572f078052877c

SHA256
12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10

SHA512
402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\resort.dbf

Filesize
923KB

MD5
0192bf28a80e86fdd32aeb6e7aeacb53

SHA1
5dcbe85578c66dffaa282301b073d4a6543b6c03

SHA256
a406ab43597e21e1281adf134da4a5309f718361f90541824e5f0b2e99a2f3bf

SHA512
24e6c972676c88f510432c54159143af3e489816336425645250138e98b6ca242cc3d43da87997d515ae640e5ef3c237600572b99a058df11efce1fec219ea0c

Download Submit
memory/1684-46-0x0000000074BE0000-0x0000000074D5B000-memory.dmp

Filesize
1.5MB

Download
memory/1684-39-0x0000000074BE0000-0x0000000074D5B000-memory.dmp

Filesize
1.5MB

Download
memory/1684-44-0x0000000074BE0000-0x0000000074D5B000-memory.dmp

Filesize
1.5MB

Download
memory/1684-43-0x0000000074BE0000-0x0000000074D5B000-memory.dmp

Filesize
1.5MB

Download
memory/1684-41-0x00007FF9272B0000-0x00007FF9274A5000-memory.dmp

Filesize
2.0MB

Download
memory/2212-53-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/2212-47-0x00007FF9272B0000-0x00007FF9274A5000-memory.dmp

Filesize
2.0MB

Download
memory/2212-61-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/2212-59-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/2212-56-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/2212-55-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/2212-54-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/2212-52-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/2212-51-0x0000000000060000-0x0000000000493000-memory.dmp

Filesize
4.2MB

Download
memory/2212-48-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/3936-10-0x00007FF9095C0000-0x00007FF909732000-memory.dmp

Filesize
1.4MB

Download
memory/3936-9-0x00007FF7D60E0000-0x00007FF7D620B000-memory.dmp

Filesize
1.2MB

Download
memory/3936-21-0x00007FF9095C0000-0x00007FF909732000-memory.dmp

Filesize
1.4MB

Download
memory/3936-12-0x00007FF9095C0000-0x00007FF909732000-memory.dmp

Filesize
1.4MB

Download
memory/3936-22-0x00007FF9095C0000-0x00007FF909732000-memory.dmp

Filesize
1.4MB

Download
memory/3936-36-0x00007FF9095C0000-0x00007FF909732000-memory.dmp

Filesize
1.4MB

Download
memory/4836-33-0x0000000074BE0000-0x0000000074D5B000-memory.dmp

Filesize
1.5MB

Download
memory/4836-35-0x0000000074BE0000-0x0000000074D5B000-memory.dmp

Filesize
1.5MB

Download
memory/4836-34-0x00007FF9272B0000-0x00007FF9274A5000-memory.dmp

Filesize
2.0MB

Download
memory/4836-37-0x0000000074BE0000-0x0000000074D5B000-memory.dmp

Filesize
1.5MB

Download