remcos | c3a2868d22be2374f1cfc8284d5572350fcd8a69929c3ff476c1323d2eda7139

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVO98765678000.exe
Size

656KB
MD5

0058da743288cb67e15afbfcb0ab6e1a
SHA1

99cde8486c006b735d1d5111d493303291a847fb
SHA256

412c4f354965eb514a79001b512c70e8d36e1d443fe599aca0916893eab369ef
SHA512

b0cb8a7279ad0e8e49b8b84738e009e93cc2e1e02a909ac88d929a374ff1e6aaa470c5226fcfe24969b4993a7d989a36432d948e1516635e32a1a79d1c06a966
SSDEEP

12288:RaoPTJIU4nr5Kfe8tNCqrKgj65I9ra/Q/fGHAW3A79hRff/aY:RDPFv4nVB8tNCqmgj6Ua/Q/fL97f6Y

Score

10^/10

remcos dollar persistence rat

Malware Config

Extracted

Family

remcos

Botnet

DOLLAR

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UZXQ9B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2916	deaegyz.exe
2688	deaegyz.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	INVO98765678000.exe
2916	deaegyz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttdyhqmvrbkg = "C:\\Users\\Admin\\AppData\\Roaming\\yudmiibbwgcluq\\jjfo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\deaegyz.exe\" "	deaegyz.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2688	2916	deaegyz.exe	30
PID 2688 set thread context of 2864	2688	deaegyz.exe	31
PID 2864 set thread context of 2592	2864	iexplore.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2916	deaegyz.exe
2688	deaegyz.exe
2864	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2592	iexplore.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2916	2172	INVO98765678000.exe	28
PID 2172 wrote to memory of 2916	2172	INVO98765678000.exe	28
PID 2172 wrote to memory of 2916	2172	INVO98765678000.exe	28
PID 2172 wrote to memory of 2916	2172	INVO98765678000.exe	28
PID 2916 wrote to memory of 2688	2916	deaegyz.exe	30
PID 2916 wrote to memory of 2688	2916	deaegyz.exe	30
PID 2916 wrote to memory of 2688	2916	deaegyz.exe	30
PID 2916 wrote to memory of 2688	2916	deaegyz.exe	30
PID 2916 wrote to memory of 2688	2916	deaegyz.exe	30
PID 2688 wrote to memory of 2864	2688	deaegyz.exe	31
PID 2688 wrote to memory of 2864	2688	deaegyz.exe	31
PID 2688 wrote to memory of 2864	2688	deaegyz.exe	31
PID 2688 wrote to memory of 2864	2688	deaegyz.exe	31
PID 2688 wrote to memory of 2864	2688	deaegyz.exe	31
PID 2864 wrote to memory of 2592	2864	iexplore.exe	33
PID 2864 wrote to memory of 2592	2864	iexplore.exe	33
PID 2864 wrote to memory of 2592	2864	iexplore.exe	33
PID 2864 wrote to memory of 2592	2864	iexplore.exe	33
PID 2864 wrote to memory of 2592	2864	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\INVO98765678000.exe
"C:\Users\Admin\AppData\Local\Temp\INVO98765678000.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
  "C:\Users\Admin\AppData\Local\Temp\deaegyz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
    "C:\Users\Admin\AppData\Local\Temp\deaegyz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2864
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
98ab235a2f4c62153edf541145c687e6

SHA1
33788c01417ebb49a54163970045b02dca45836f

SHA256
9da1b2034dce657d46a3d876a63a0fa11b32bc420ce7972fb545bd4655db8bd6

SHA512
2ec29fe79aec7d1bb0ae3a6022f2ff92a786bf06d1220d15d6295a94550005bb6a1f9cfc81b9df3a6620c8c04ec036006255172f2d6bd456e26a041e6c47a8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\deaegyz.exe

Filesize
209KB

MD5
bc88ecd849900e01d4889ae7a1a175ad

SHA1
2e19a317b50f81d065511de73b2d78fafe074e07

SHA256
86589495ceaa1d1e895d1c36536fb968f7617db8b4e0d25c433fd613dd237c3e

SHA512
cf7829687e8f07e0822c124f493965dd014888dbcf82f4708bd3eb1ca65a246287fdb4348453fc2b4232c936be31a61212521806d04a7ae7814fda727dda1a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\midxwnqijin.ekx

Filesize
372KB

MD5
0c14ac2250d04f81a254beb672bd3a3f

SHA1
5a2d4cf7d55b500ecd6a735de0d5147ffd0de465

SHA256
c12e887004c281185af263d9fb07ae05f1129f55c8c281690ecc6196aaf1380b

SHA512
e510b712b39af9792aeb91ed27acb6d6e0ae06b4557758a8b2d05a23963a0cf7b819949cc47494209c85ef187b78c0cbd1db43d4da19e4010d691a92b2634655

Download Submit
\Users\Admin\AppData\Local\Temp\deaegyz.exe

Filesize
96KB

MD5
bb4dfde2de1ac53b7f2320323c580dbc

SHA1
6a1c28ceae75649c1f4c76d7ff138ebb293e93b6

SHA256
8339faa3b551cca915a0c01c7700462914aaf5b2c70d323ac2598989ea872c1e

SHA512
240f3e1282daae08bfbf05a21501357dec12f3ffd8b1adb00974b37fa6c0654ccd3eb95bbd7a0d3028991dcb43d8d23c2c9a966876810c4adf76b95de94afa96

Download Submit
\Users\Admin\AppData\Local\Temp\deaegyz.exe

Filesize
478KB

MD5
49900e1a853294ac5e03deb77c041e08

SHA1
0c5b28c9caa6597dd4112772e973faad121aff55

SHA256
148662d819b02305d0eb2c78630e218985ce18529a3729ca1aa4d8926b75e5af

SHA512
34cb6dce4838bf1b6524e24082f133ceab731198f20af3296ae2103fbaf56e0940164208f17d7bf2593181ade88dd042e29e2fd44d5f4b929606013543b5daf8

Download Submit
memory/2592-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2864-24-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2864-23-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2864-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-19-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2916-6-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads