remcos | 562241f9da20b93ee8d5e711ad3efad80dbb67c75ae8c32e15885514f39ce204

General

Target

21d6b0b5356751ad940fe771c4d90ac6.exe
Size

1.7MB
MD5

21d6b0b5356751ad940fe771c4d90ac6
SHA1

22f6a7c621f6565d82d790b76b0a78407f9131a0
SHA256

562241f9da20b93ee8d5e711ad3efad80dbb67c75ae8c32e15885514f39ce204
SHA512

396593bfc71fdcbaa44d7e3e244d7b01059eeab0a10b11e5459b3818c83a40e546c804924c39cb24016b4d6fd2e3ece1d3971bbbe7b18b0bdc6264baa849cd28
SSDEEP

49152:qZ/JOew+by5HTXHJWFUrUrFvXAmUn6hRvIDtl+nQLB54shSvzsXL/:qZ/JVw+ITw9FYmUn69IDSnQLBPhrb/

Score

10^/10

remcos host persistence rat upx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

185.140.53.37:1900

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%WinDir%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_ewbkendenhpkpep
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	test.exe

Executes dropped EXE 4 IoCs

pid	Process
544	test.exe
4180	test.exe
2064	remcos.exe
2520	remcos.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1372-0-0x0000000000400000-0x000000000077F000-memory.dmp	upx
behavioral2/files/0x000200000001fafe-3.dat	upx
behavioral2/files/0x000200000001fafe-5.dat	upx
behavioral2/memory/544-4-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/files/0x000200000001fafe-10.dat	upx
behavioral2/memory/1372-14-0x0000000000400000-0x000000000077F000-memory.dmp	upx
behavioral2/memory/544-12-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/2064-31-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/files/0x00080000000231fb-29.dat	upx
behavioral2/memory/2064-26-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/files/0x00080000000231fb-25.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\remcos\\remcos.exe\""	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 4180	544	test.exe	92
PID 2064 set thread context of 2520	2064	remcos.exe	100

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\remcos\remcos.exe	test.exe
File opened for modification	C:\Windows\remcos\remcos.exe	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2684	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
544	test.exe
544	test.exe
2064	remcos.exe
2064	remcos.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
544	test.exe
2064	remcos.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4712	1372	21d6b0b5356751ad940fe771c4d90ac6.exe	90
PID 1372 wrote to memory of 4712	1372	21d6b0b5356751ad940fe771c4d90ac6.exe	90
PID 1372 wrote to memory of 4712	1372	21d6b0b5356751ad940fe771c4d90ac6.exe	90
PID 4712 wrote to memory of 544	4712	cmd.exe	91
PID 4712 wrote to memory of 544	4712	cmd.exe	91
PID 4712 wrote to memory of 544	4712	cmd.exe	91
PID 544 wrote to memory of 4180	544	test.exe	92
PID 544 wrote to memory of 4180	544	test.exe	92
PID 544 wrote to memory of 4180	544	test.exe	92
PID 4180 wrote to memory of 4852	4180	test.exe	98
PID 4180 wrote to memory of 4852	4180	test.exe	98
PID 4180 wrote to memory of 4852	4180	test.exe	98
PID 4852 wrote to memory of 2684	4852	cmd.exe	94
PID 4852 wrote to memory of 2684	4852	cmd.exe	94
PID 4852 wrote to memory of 2684	4852	cmd.exe	94
PID 4852 wrote to memory of 2064	4852	cmd.exe	99
PID 4852 wrote to memory of 2064	4852	cmd.exe	99
PID 4852 wrote to memory of 2064	4852	cmd.exe	99
PID 2064 wrote to memory of 2520	2064	remcos.exe	100
PID 2064 wrote to memory of 2520	2064	remcos.exe	100
PID 2064 wrote to memory of 2520	2064	remcos.exe	100

C:\Users\Admin\AppData\Local\Temp\21d6b0b5356751ad940fe771c4d90ac6.exe
"C:\Users\Admin\AppData\Local\Temp\21d6b0b5356751ad940fe771c4d90ac6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      test.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Windows\remcos\remcos.exe
        
        "C:\Windows\remcos\remcos.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\remcos\remcos.exe
        
        "C:\Windows\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2520

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
1⤵
- Runs ping.exe
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
79B

MD5
e31c5298e512a57c08e540781b438406

SHA1
518d7fceb915e513207e90e9881f732b38cdaddc

SHA256
90c22d29540b16f794cd58a9153c03dd96a0541851f875b549273c2ffdc63a36

SHA512
828530316d7fce6f44b91f026878b0d46cc55a4d8cb6d5c2aa7e7d1f00b3f442578acd1b2ed1199b1ca70177bf08a3ed235508aa0bedfe079d13349c1619e8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
97KB

MD5
30288541f473de792c4ee861ccff1da7

SHA1
50f50edd2acb76a11b04aaca278ea2a313c98159

SHA256
01db620d3b3b6b8b56779947b23a9c71d4eba9e6241029ce2d52c86adb87b962

SHA512
6bf2dcda94a20993dd4ab3591a897751555bb87ca7a464b04f2eafd0bbab2fc78aade353bb9e00d8ee690a22d831dc834dd66d1701fd85c3591de15f3b9b90d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
402KB

MD5
36184baad191dcb3f2d077119535109a

SHA1
3fd953cdb314408845bbd587b77eb47c1db31720

SHA256
b47adb5a41cc1bfa622199a3e3a5213ab6668f32028fa0ecaa95b383597e1c0e

SHA512
fe049d0623c23a68b6a7d8efbdb935365bbc597998feb5cc6d089c202bcd37f24b45c64edc5370b05f67542efd544937d049551f6a085b1fae2afcb3f7277e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
240KB

MD5
8779078f355bb89d700d06867a7cd8ac

SHA1
d2ff7bd58d393d2928a55c96ebdaca2b724ebcf9

SHA256
d1feb2a09d4181393c29092e2de269621dfb93f330607057b1cd7227d43b4832

SHA512
a169f75ca10e076be49dcf1380dc01844ab075ba4a8daaafe7f50d883901cde5159608107b88b78f48e1e78032e93ee5d666268ced8ec5b9dc53fd15c687695b

Download Submit
C:\Windows\remcos\remcos.exe

Filesize
356KB

MD5
23d758c60545a7d0d846cfb8c9d60490

SHA1
5a66cb6de4433c1e7b0c0ea86d0d0fb43f87dc3a

SHA256
04131629dda00f30147045644f67091f690562c521043537d011f5f9f5ce4184

SHA512
18ae2fa0e23e12783228d3aa9fcd1b9ea038aa8ac29706f62d7ff2abb49e07a4346aa16788e613c391b7e477d0aa42accf808934fd24cad80f7ac67020ed2b5e

Download Submit
C:\Windows\remcos\remcos.exe

Filesize
57KB

MD5
1df3dfc7624da1c05fee6908049145ca

SHA1
907f31b0e5fb3173a9e6492a37017f95ccb5e68c

SHA256
75b0ff3e6a84551741412ccf2449f6c0b8fc410383e28746adce84eaf1dcc230

SHA512
e4c32043c0e21708c9b9f1c59b8c1e7f2b1cf4760b8691cfc1ecd0e5c8538dc5f58bb0fe09a48a7172ffd314415ad23e0902e8e20a1f3f31ac2542ae003fb9bf

Download Submit
memory/544-8-0x0000000002970000-0x000000000297B000-memory.dmp

Filesize
44KB

Download
memory/544-4-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/544-9-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/544-6-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/544-12-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1372-14-0x0000000000400000-0x000000000077F000-memory.dmp

Filesize
3.5MB

Download
memory/1372-0-0x0000000000400000-0x000000000077F000-memory.dmp

Filesize
3.5MB

Download
memory/2064-31-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2064-32-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2064-26-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2064-27-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2520-34-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-35-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-37-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4180-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4180-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4180-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4180-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads