remcos | ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
Size

1.0MB
MD5

d450c0d6afa6a22fc9fc53780bcc628b
SHA1

65ae8b330c8da3f7c0699ea054cdcc857087bd38
SHA256

ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31
SHA512

20384a55ece7385a7c950ad984d75f778fc0c7975dfca813fe0b9890862649c26c5eea0e392648c66da491020e2818176c28bc89f1785159e9ed0f323748bc6e
SSDEEP

12288:zy2iNpukyFWjrH66dn1uoLeyFfyu0AHyJy/bppvmT6TQ/lEtYyVgh2eV:G1XukRjr5pcobFJHxr+NNos

Score

10^/10

remcos zgrat remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:56932

45.128.234.54:56932

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-D11KCU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-7-0x0000000008240000-0x0000000008300000-memory.dmp	family_zgrat_v1

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

description	pid	process	target process
PID 1980 set thread context of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2472 schtasks.exe

pid	process
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Payment Advice-BCS_ECS9522023032900460039_16922_952.exepowershell.exepowershell.exe

pid	process
1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
2608	powershell.exe
2864	powershell.exe
1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

pid process

2964 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

pid	process
2964	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment Advice-BCS_ECS9522023032900460039_16922_952.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

description	pid	process	target process
PID 1980 wrote to memory of 2864	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	powershell.exe
PID 1980 wrote to memory of 2864	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	powershell.exe
PID 1980 wrote to memory of 2864	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	powershell.exe
PID 1980 wrote to memory of 2864	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	powershell.exe
PID 1980 wrote to memory of 2608	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	powershell.exe
PID 1980 wrote to memory of 2608	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	powershell.exe
PID 1980 wrote to memory of 2608	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	powershell.exe
PID 1980 wrote to memory of 2608	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	powershell.exe
PID 1980 wrote to memory of 2472	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	schtasks.exe
PID 1980 wrote to memory of 2472	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	schtasks.exe
PID 1980 wrote to memory of 2472	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	schtasks.exe
PID 1980 wrote to memory of 2472	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	schtasks.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964	1980	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe	Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp"
2⤵
- Creates scheduled task(s)
PID:2472

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp
Filesize
1KB

MD5
b0e136f8ea6281d13f08d10f06799ae3

SHA1
70274df5e272effcd14a02fed97e127c8915c463

SHA256
e6de63613a8436294f5c0563756639df9a4312a64b835b7eada3a5ae4058a3d1

SHA512
28ce0d27d755ff0c702d6488e55bdb0e1d807f8a9c338c1a2ce7da53d89761c26dd296901ef7ecee706f692f04b2de64c20b6ce167c9de07b1b0867bfa5f5972

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\948YRQV0ENS48FJIVYSM.temp
Filesize
7KB

MD5
fe3a08652c6658b3fba58266e195fcf7

SHA1
e3fe28af62f28231f10ea68764365992d615fb0c

SHA256
7a203df2da067fa2b93101830c52a121017ac0e010fa4af6374920240f743f29

SHA512
41e2532af1c9f2ff17f7598a8e6cddddc3ca9d5abcb22df435d0ffc843dbadd3c7443cfe60ed04b0bd7d90fca25596581a3fafa4e646c80869a6ff13a77952d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
fe3a08652c6658b3fba58266e195fcf7

SHA1
e3fe28af62f28231f10ea68764365992d615fb0c

SHA256
7a203df2da067fa2b93101830c52a121017ac0e010fa4af6374920240f743f29

SHA512
41e2532af1c9f2ff17f7598a8e6cddddc3ca9d5abcb22df435d0ffc843dbadd3c7443cfe60ed04b0bd7d90fca25596581a3fafa4e646c80869a6ff13a77952d7

Download Submit
memory/1980-5-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1980-0-0x0000000001200000-0x000000000130A000-memory.dmp

Filesize
1.0MB

Download
memory/1980-46-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1980-7-0x0000000008240000-0x0000000008300000-memory.dmp

Filesize
768KB

Download
memory/1980-3-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download
memory/1980-2-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1980-1-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-20-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/1980-4-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-21-0x0000000005ED0000-0x0000000005F50000-memory.dmp

Filesize
512KB

Download
memory/2608-22-0x000000006F890000-0x000000006FE3B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-24-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2608-25-0x000000006F890000-0x000000006FE3B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-54-0x000000006F890000-0x000000006FE3B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-27-0x0000000001BE0000-0x0000000001C20000-memory.dmp

Filesize
256KB

Download
memory/2864-55-0x000000006F890000-0x000000006FE3B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-23-0x000000006F890000-0x000000006FE3B000-memory.dmp

Filesize
5.7MB

Download
memory/2964-51-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-65-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-38-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-40-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-32-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-49-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-50-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-48-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-31-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-52-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-29-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-26-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-56-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-57-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-58-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-60-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-61-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-62-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-34-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2964-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download