Overview

overview

10

Static

static

10

Remcos v4.9.3 Pro.exe

windows7-x64

10

Remcos v4.9.3 Pro.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2023 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remcos v4.9.3 Pro.exe

  • Size

    467KB

  • MD5

    ccb5f97be3daefc9cdeaff2aec1ad323

  • SHA1

    3b561e66a88eb6072a363c1b9cc52d0a679c20e6

  • SHA256

    f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

  • SHA512

    c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

  • SSDEEP

    6144:sXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNF5Gv:sX7tPMK8ctGe4Dzl4h2QnuPs/Zs0cv

Score
10/10
remcosnulledevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

nulled

C2

essagbs.ddns.net:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    svhost.exe

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    logs

  • mouse_option

    false

  • mutex

    ewaewefsefsefdseadwadf-21RLZF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe
    "C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"
    1⤵
    • Adds policy Run key to start application
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4164
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:4452
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:1964
      • \??\c:\program files (x86)\internet explorer\iexplore.exe
        "c:\program files (x86)\internet explorer\iexplore.exe"
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3964
        • C:\Windows\SysWOW64\cmd.exe
          /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:4288
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
            PID:1832

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\logs\logs.dat
      Filesize

      144B

      MD5

      93743684c429bd79fad7065584747030

      SHA1

      c1d6a9a407dac4354087ec6c84f85f4d507199ba

      SHA256

      6cfbc0f69a13a597f8956a068f28a491f351700dfcb12a12fe5598bf835b67b9

      SHA512

      5eea2c776d81f420255a4096ef9bd5f3985a5ca7f58a1a7716bccadbc7d1fabff7313b96cc4f445e26bc03ff1558743bec8510fb09cddcc70164cb1dc8a19610

      Download Submit
    • C:\Windows\svhost.exe
      Filesize

      467KB

      MD5

      ccb5f97be3daefc9cdeaff2aec1ad323

      SHA1

      3b561e66a88eb6072a363c1b9cc52d0a679c20e6

      SHA256

      f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

      SHA512

      c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

      Download Submit
    • C:\Windows\svhost.exe
      Filesize

      467KB

      MD5

      ccb5f97be3daefc9cdeaff2aec1ad323

      SHA1

      3b561e66a88eb6072a363c1b9cc52d0a679c20e6

      SHA256

      f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

      SHA512

      c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

      Download Submit
    • C:\Windows\svhost.exe
      Filesize

      467KB

      MD5

      ccb5f97be3daefc9cdeaff2aec1ad323

      SHA1

      3b561e66a88eb6072a363c1b9cc52d0a679c20e6

      SHA256

      f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

      SHA512

      c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

      Download Submit
    • memory/1832-18-0x0000000000A70000-0x0000000000AEE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/1832-19-0x0000000000A70000-0x0000000000AEE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/1832-20-0x0000000000A70000-0x0000000000AEE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/1832-21-0x0000000000A70000-0x0000000000AEE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-42-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-45-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-10-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-12-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-11-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-14-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-15-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-17-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-22-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-23-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-24-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-25-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-26-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-27-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-28-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-29-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-30-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-31-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-33-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-34-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-35-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-36-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-37-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-38-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-39-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-40-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-8-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-43-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-44-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-9-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-46-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-47-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-48-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-49-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-50-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-51-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-53-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-54-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-55-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-56-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-57-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-58-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-59-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-60-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-61-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-62-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-64-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-65-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-66-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-67-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-68-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-69-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-70-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-71-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-73-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-74-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-75-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-76-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-77-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3964-78-0x0000000000F80000-0x0000000000FFE000-memory.dmp
      Filesize

      504KB

      Download