remcos | cd87df4de222e57b4a9426eb12eaa4ea5af3e1bd7a3a3801f235b50d2b8443c0

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167d4dc0ea6322fb7123af5e5511a168.exe
Size

809KB
MD5

167d4dc0ea6322fb7123af5e5511a168
SHA1

6ec775aa75e806401f229a01802a508aa2f34cf2
SHA256

cd87df4de222e57b4a9426eb12eaa4ea5af3e1bd7a3a3801f235b50d2b8443c0
SHA512

5a38539bb04a1b0423894431df53674d172be3c8d68db836c93e20ec4d842be97a139aeee5cda9b04ed8daa13b4f477f8c9de948fc92d44fe3b9da964567db10
SSDEEP

12288:zG/onGprkMB62cAyPacr+DV8zNYREk7joM9uaHgVnHGAvKY:X062cSEk8zNYeM8wXgVnHDyY

Score

10^/10

remcos 5001 rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

5001

168.119.2.184:5001

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
logss
keylog_path
%Temp%
mouse_option
false
mutex
Remcos-KEN7WH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iesysprep.lnk	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 1496	2608	MSBuild.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	RegAsm.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2700	2140	167d4dc0ea6322fb7123af5e5511a168.exe	28
PID 2140 wrote to memory of 2700	2140	167d4dc0ea6322fb7123af5e5511a168.exe	28
PID 2140 wrote to memory of 2700	2140	167d4dc0ea6322fb7123af5e5511a168.exe	28
PID 2140 wrote to memory of 2700	2140	167d4dc0ea6322fb7123af5e5511a168.exe	28
PID 2700 wrote to memory of 2608	2700	mshta.exe	29
PID 2700 wrote to memory of 2608	2700	mshta.exe	29
PID 2700 wrote to memory of 2608	2700	mshta.exe	29
PID 2700 wrote to memory of 2608	2700	mshta.exe	29
PID 2608 wrote to memory of 2480	2608	MSBuild.exe	32
PID 2608 wrote to memory of 2480	2608	MSBuild.exe	32
PID 2608 wrote to memory of 2480	2608	MSBuild.exe	32
PID 2608 wrote to memory of 2480	2608	MSBuild.exe	32
PID 2480 wrote to memory of 572	2480	csc.exe	33
PID 2480 wrote to memory of 572	2480	csc.exe	33
PID 2480 wrote to memory of 572	2480	csc.exe	33
PID 2480 wrote to memory of 572	2480	csc.exe	33
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34
PID 2608 wrote to memory of 1496	2608	MSBuild.exe	34

C:\Users\Admin\AppData\Local\Temp\167d4dc0ea6322fb7123af5e5511a168.exe
"C:\Users\Admin\AppData\Local\Temp\167d4dc0ea6322fb7123af5e5511a168.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iesysprep.hta"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\AppData\iesysprep.url"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0atofo3g\0atofo3g.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB960.tmp" "c:\Users\Admin\AppData\Local\Temp\0atofo3g\CSC3146275B4E645138F4D25FCC6723BDB.TMP"
        5⤵
        
        PID:572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0atofo3g\0atofo3g.dll

Filesize
138KB

MD5
2ad43443667579a84094fbdbcb1d1904

SHA1
688e7c2acb1eac9d7d42e0d7e7deff9e898683cf

SHA256
a8726172f2ce1aef552c2678313975176e102b266a31887720ca79e5716e86f0

SHA512
d40a0bddbb5825980b8f4d500ea86c15a42e525a1fc584d2848acf7c8dac1447a20abc392ba23f69df51463d91aa704ed5312b9a7dee706872d84cf2eb4c8d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0atofo3g\0atofo3g.pdb

Filesize
13KB

MD5
92c928a3f9a3f008382196a56ee32199

SHA1
b8a35e9d9af392e3e1fcac5fe7f29a70283037dd

SHA256
5e316b0aaa164b94f43fc582d642137c550ad84ae0e74d3a43e25097a5dfa330

SHA512
c84a2b380ea892fa0bde270e15d1c5ac4f71272f08827cd81bcd18e45d5e587a8e8b788e4d95721df65cc505cfb5d46620bae99deb691f86390ccb941bfd506c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB960.tmp

Filesize
1KB

MD5
135df2e433fe25fb7862e08d14c4bc06

SHA1
93782368c89a8969e513469dee95e365ccd2adf5

SHA256
491414a7b461f1088e88da034c32245c1b769ef77b719bdbf37a2c23abbce540

SHA512
0a9a934da3e54ea5e06ba8db57c277152e2baa7de1eea880b5de3c3c765ef37b8588048d8aa11a9481a96311be9b1970b7047a4c82ab7b654f00d4479342472f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iesysprep.hta

Filesize
1.3MB

MD5
6957dc055e7db6ca54254d6867c08c9e

SHA1
54d3b954fd1b5b9d3e8dd0f5938e07ce28bb106f

SHA256
98a096897d7e1b05f0b70cfab38a11c850875cbd04e87395e13475ef8e7d1bdd

SHA512
e93c8bb17ae9a5e0bb563b9ec0d4770f46cc1957e0b194ca550a319e892a9448dcf4bb3adef184048554d6f78a49acbf5ff5f85d7759ba37a2aabdf219f0bee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\logss\logs.dat

Filesize
74B

MD5
a44fa91bed7d828ea1afc89edffec8a0

SHA1
eec2f8906bd0060ed47d7b0235820a61870305a2

SHA256
7668fb98a8ec8e20e64a5085caf13d1a9feaef307ca240606a9b4e84c495d1a8

SHA512
2af482d7e3cf6741e474bb00082168f220c299fcd890604237f07a8dd8f804d3af9db3207f001bff140f2660b361340d05360523d0d9b41efc1b843ef2c84082

Download Submit
C:\Users\Admin\AppData\iesysprep.url

Filesize
448KB

MD5
87d613efebbd50be6bf975c12a13f24b

SHA1
cffcd83d620853c7acb0b926b7e9dbbd0ca43e8a

SHA256
d7dd05a647a27c7cc3802b039e64fafd179f09e6a851d679c9e57eb36ca4e657

SHA512
e75926b9a77656399f2ad951f1afb95f6a236324afc83be753158c7ea938c4b319463198e38552694dbe919863097def709bcfe2f1b6b377ee930cf0635b1655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0atofo3g\0atofo3g.0.cs

Filesize
448KB

MD5
1d99936c9c23c098d66df81b3046a810

SHA1
d30102b846c7a0db1d79e515c5cba5e953ccb6be

SHA256
e4f82c3f3b5e7db89b8ea58509155ba371fb91191fded8b98edf791c8a78295b

SHA512
2d49582726b11be922c9d001274ea8ac840f74f542b4be33af6c11c458f9012fd04724dd0740e965213ddcfa8955d65cd36261c3776c28065e1d8e0e6a8d0715

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0atofo3g\0atofo3g.cmdline

Filesize
660B

MD5
61fb3adcbba7391ee12fc8493b1f83ea

SHA1
fe70e8da285da3a1b1441ea0b4aac32bdd9bff16

SHA256
e51545ae7c49774ad61b64658c3d6e7955026fbd3e0aa2e4cd921909511121a1

SHA512
ca03aa0f2693c3a44a018c10cd23428d832fe68f668071f14f8c4e807caee738973439f44a8434e83ec534282beffbef236954047fd88200ff522d5f1981510d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0atofo3g\CSC3146275B4E645138F4D25FCC6723BDB.TMP

Filesize
652B

MD5
5ba208cafbceeac99f020782f50adb63

SHA1
135fe944548633b9b9ca18c078a1eeaa9114d87a

SHA256
32c74078cbb5e5f400433874397b923bec16b3994c4033e19a70b827f3780ef8

SHA512
408805dd501773162ec1690c1faf278380e04e970d8370a46104a253e30d64881d5af455c0734b298eaa87443b369b02940a0e2d8508a51fd93fd285d296eea5

Download Submit
memory/1496-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1496-60-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-53-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-59-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-48-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-51-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1496-46-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2608-17-0x0000000005190000-0x000000000530A000-memory.dmp

Filesize
1.5MB

Download
memory/2608-37-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2608-33-0x0000000000B90000-0x0000000000BBA000-memory.dmp

Filesize
168KB

Download
memory/2608-18-0x0000000005190000-0x00000000054F4000-memory.dmp

Filesize
3.4MB

Download
memory/2608-54-0x0000000071BD0000-0x00000000722BE000-memory.dmp

Filesize
6.9MB

Download
memory/2608-16-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/2608-15-0x0000000000B90000-0x0000000000BD4000-memory.dmp

Filesize
272KB

Download
memory/2608-14-0x00000000052C0000-0x00000000053E2000-memory.dmp

Filesize
1.1MB

Download
memory/2608-13-0x0000000005190000-0x00000000052B2000-memory.dmp

Filesize
1.1MB

Download
memory/2608-10-0x0000000000BF0000-0x0000000000C30000-memory.dmp

Filesize
256KB

Download
memory/2608-11-0x0000000071BD0000-0x00000000722BE000-memory.dmp

Filesize
6.9MB

Download