remcos | 04e5b2ca6f0ed2eb8a36deaef7ec8a5ba5780aa07e133153eac2e120ffe41672

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2023 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

allegato_35.js
Size

4KB
MD5

28eccbb393ed8689497c2966337666df
SHA1

2d4a2ea5d4252a84cd22854cdecc2092aac0c4c2
SHA256

04e5b2ca6f0ed2eb8a36deaef7ec8a5ba5780aa07e133153eac2e120ffe41672
SHA512

c01e9d9992ccf8e01476c9a81a604a50e683812820af44281209824c5aaee685913043e8b190f4000a63b41a1dcae744dc1b5118f0685ae799311218e5380f5b
SSDEEP

96:TqKszBKK/HeX9vh7oUfCkHLlEjIhfOhjafVCz8TmA/sUHwFseGjtGjCDoUzk7/zx:TqK3K/+X9p7oUfCkHLlE8hfOhjafszEU

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

retghrtgwtrgtg.bounceme.net:3839

listpoints.click:7020

datastream.myvnc.com:5225

gservicese.com:2718

center.onthewifi.com:8118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-OPX7KW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	3236	wscript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	wscript.exe

Deletes itself 1 IoCs

pid	Process
3236	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	Browserchannel_test.exe
2724	atkexComSvc.exe

Loads dropped DLL 3 IoCs

pid	Process
2724	atkexComSvc.exe
2724	atkexComSvc.exe
2724	atkexComSvc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 4828	2724	atkexComSvc.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2108	Browserchannel_test.exe
2108	Browserchannel_test.exe
2724	atkexComSvc.exe
2724	atkexComSvc.exe
4828	cmd.exe
4828	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2724	atkexComSvc.exe
4828	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 2108	3236	wscript.exe	85
PID 3236 wrote to memory of 2108	3236	wscript.exe	85
PID 2108 wrote to memory of 2724	2108	Browserchannel_test.exe	91
PID 2108 wrote to memory of 2724	2108	Browserchannel_test.exe	91
PID 2108 wrote to memory of 2724	2108	Browserchannel_test.exe	91
PID 2724 wrote to memory of 4828	2724	atkexComSvc.exe	95
PID 2724 wrote to memory of 4828	2724	atkexComSvc.exe	95
PID 2724 wrote to memory of 4828	2724	atkexComSvc.exe	95
PID 2724 wrote to memory of 4828	2724	atkexComSvc.exe	95
PID 4828 wrote to memory of 3700	4828	cmd.exe	103
PID 4828 wrote to memory of 3700	4828	cmd.exe	103
PID 4828 wrote to memory of 3700	4828	cmd.exe	103
PID 4828 wrote to memory of 3700	4828	cmd.exe	103

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\allegato_35.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\Browserchannel_test.exe
  "C:\Users\Admin\AppData\Local\Temp\Browserchannel_test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Roaming\updatebgv5\atkexComSvc.exe
    C:\Users\Admin\AppData\Roaming\updatebgv5\atkexComSvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        
        PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21a8d8db

Filesize
1.1MB

MD5
74aeff70aa1674529cba3f90b1a42494

SHA1
bed31d0d22029bdb1d1954e5a607b0d58b6d5635

SHA256
d30f642b553042757337b736c614959d9989d9d59564881a6568e3da0ecf4c11

SHA512
d663273236c6bb3a28ccfe20eca18972670b1aa7fa13f440abae8399a17e4545d4b91cb9616c3f19d63be5b7a535ea8c6fa180610d0a8d849226116703b8a8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Browserchannel_test.exe

Filesize
1.1MB

MD5
18400a6db4000c6776de3a74f9569fc9

SHA1
902d038140502d776db62673ee28a68f2ab0bf63

SHA256
ce924608d3184bd96670d0b1c87b3b9dd1898cd00548f5c64eb09dbd36e708b4

SHA512
172d17fb9d4913b54c41d07958623fb292f39721165138d03d7462325cb294686cf7b163304cb47a4098361b102a475a578fabb77c4cd73b3b4bf61c34dd96d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Browserchannel_test.exe

Filesize
1.1MB

MD5
18400a6db4000c6776de3a74f9569fc9

SHA1
902d038140502d776db62673ee28a68f2ab0bf63

SHA256
ce924608d3184bd96670d0b1c87b3b9dd1898cd00548f5c64eb09dbd36e708b4

SHA512
172d17fb9d4913b54c41d07958623fb292f39721165138d03d7462325cb294686cf7b163304cb47a4098361b102a475a578fabb77c4cd73b3b4bf61c34dd96d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Browserchannel_test.exe

Filesize
1.1MB

MD5
18400a6db4000c6776de3a74f9569fc9

SHA1
902d038140502d776db62673ee28a68f2ab0bf63

SHA256
ce924608d3184bd96670d0b1c87b3b9dd1898cd00548f5c64eb09dbd36e708b4

SHA512
172d17fb9d4913b54c41d07958623fb292f39721165138d03d7462325cb294686cf7b163304cb47a4098361b102a475a578fabb77c4cd73b3b4bf61c34dd96d7

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\ASUS_WMI.dll

Filesize
224KB

MD5
3f109a02c8d642e8003a1188df40d861

SHA1
f723f38471b8872443aa9177eef12a96c02cc84a

SHA256
6523b44da6fa7078c7795b7705498e487b0625e28e15aec2d270c6e4a909b5a5

SHA512
023696a52d48c465ab62e3ee754b445093b8a0ed0a232b430ce1f0db3dae382c9e1fba210c2b04d1018cc29bfb69c546976912f3939a76e98bcb792ae57af0da

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\ASUS_WMI.dll

Filesize
224KB

MD5
3f109a02c8d642e8003a1188df40d861

SHA1
f723f38471b8872443aa9177eef12a96c02cc84a

SHA256
6523b44da6fa7078c7795b7705498e487b0625e28e15aec2d270c6e4a909b5a5

SHA512
023696a52d48c465ab62e3ee754b445093b8a0ed0a232b430ce1f0db3dae382c9e1fba210c2b04d1018cc29bfb69c546976912f3939a76e98bcb792ae57af0da

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\ATKEX.dll

Filesize
84KB

MD5
e68562f63265e1a70881446b4b9dc455

SHA1
da16ef9367bde3ce892b1a0e33bc179d8acdceb3

SHA256
c8b16f1c6883a23021da37d9116a757f971fe919d64ef8f9dba17a7d8dd39adb

SHA512
6bedea10a5b50f6e93e8566c18970c8ad1b8dfc7d5961069fc5d5216dcdded0b2a2ad8dd91f4ad80f8604d573a343c126df238ee5c448cdc26b899077957a674

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\ATKEX.dll

Filesize
84KB

MD5
e68562f63265e1a70881446b4b9dc455

SHA1
da16ef9367bde3ce892b1a0e33bc179d8acdceb3

SHA256
c8b16f1c6883a23021da37d9116a757f971fe919d64ef8f9dba17a7d8dd39adb

SHA512
6bedea10a5b50f6e93e8566c18970c8ad1b8dfc7d5961069fc5d5216dcdded0b2a2ad8dd91f4ad80f8604d573a343c126df238ee5c448cdc26b899077957a674

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\AsIO.dll

Filesize
120KB

MD5
46e6a0c97132a518620763caff0da368

SHA1
e39db0fb68e2df5a2d068c9c29f1e0c464aa66f2

SHA256
08cb42002f6b659182088f9756483627d0b4ebb9ed32eca89239ee626d1c1ce4

SHA512
117b8a042cd0004ece1b64c0222956c5e6f54c409e394dbbf72b293374d1abcb222a789067626cce3dc198ad8a3a70e2b73fab7dec71c82341970377fca80066

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\AsIO.dll

Filesize
120KB

MD5
46e6a0c97132a518620763caff0da368

SHA1
e39db0fb68e2df5a2d068c9c29f1e0c464aa66f2

SHA256
08cb42002f6b659182088f9756483627d0b4ebb9ed32eca89239ee626d1c1ce4

SHA512
117b8a042cd0004ece1b64c0222956c5e6f54c409e394dbbf72b293374d1abcb222a789067626cce3dc198ad8a3a70e2b73fab7dec71c82341970377fca80066

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\atkexComSvc.exe

Filesize
446KB

MD5
485008b43f0edceba0e0d3ca04bc1c1a

SHA1
55ae8f105af415bb763d1b87f6572f078052877c

SHA256
12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10

SHA512
402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\atkexComSvc.exe

Filesize
446KB

MD5
485008b43f0edceba0e0d3ca04bc1c1a

SHA1
55ae8f105af415bb763d1b87f6572f078052877c

SHA256
12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10

SHA512
402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1

Download Submit
C:\Users\Admin\AppData\Roaming\updatebgv5\resort.dbf

Filesize
923KB

MD5
0192bf28a80e86fdd32aeb6e7aeacb53

SHA1
5dcbe85578c66dffaa282301b073d4a6543b6c03

SHA256
a406ab43597e21e1281adf134da4a5309f718361f90541824e5f0b2e99a2f3bf

SHA512
24e6c972676c88f510432c54159143af3e489816336425645250138e98b6ca242cc3d43da87997d515ae640e5ef3c237600572b99a058df11efce1fec219ea0c

Download Submit
memory/2108-46-0x00007FF826E90000-0x00007FF827002000-memory.dmp

Filesize
1.4MB

Download
memory/2108-19-0x00007FF71B570000-0x00007FF71B69B000-memory.dmp

Filesize
1.2MB

Download
memory/2108-29-0x00007FF826E90000-0x00007FF827002000-memory.dmp

Filesize
1.4MB

Download
memory/2108-22-0x00007FF826E90000-0x00007FF827002000-memory.dmp

Filesize
1.4MB

Download
memory/2108-20-0x00007FF826E90000-0x00007FF827002000-memory.dmp

Filesize
1.4MB

Download
memory/2108-34-0x00007FF826E90000-0x00007FF827002000-memory.dmp

Filesize
1.4MB

Download
memory/2724-43-0x0000000074B00000-0x0000000074C7B000-memory.dmp

Filesize
1.5MB

Download
memory/2724-44-0x00007FF844F50000-0x00007FF845145000-memory.dmp

Filesize
2.0MB

Download
memory/2724-45-0x0000000074B00000-0x0000000074C7B000-memory.dmp

Filesize
1.5MB

Download
memory/2724-47-0x0000000074B00000-0x0000000074C7B000-memory.dmp

Filesize
1.5MB

Download
memory/3700-63-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-67-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-71-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-69-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-68-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-57-0x00007FF844F50000-0x00007FF845145000-memory.dmp

Filesize
2.0MB

Download
memory/3700-58-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-61-0x00000000000A0000-0x00000000004D3000-memory.dmp

Filesize
4.2MB

Download
memory/3700-62-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-66-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-64-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/3700-65-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/4828-49-0x0000000074B00000-0x0000000074C7B000-memory.dmp

Filesize
1.5MB

Download
memory/4828-51-0x00007FF844F50000-0x00007FF845145000-memory.dmp

Filesize
2.0MB

Download
memory/4828-56-0x0000000074B00000-0x0000000074C7B000-memory.dmp

Filesize
1.5MB

Download
memory/4828-54-0x0000000074B00000-0x0000000074C7B000-memory.dmp

Filesize
1.5MB

Download
memory/4828-53-0x0000000074B00000-0x0000000074C7B000-memory.dmp

Filesize
1.5MB

Download