remcos | 2693175d4d61b0e6376fafa58ab6b9e61f90142373b1a2fb26203f2364127deb

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 10:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2.scr
Size

1.3MB
MD5

9b09819ba215db689d11bf5d243b919c
SHA1

fb29fd3c4f21ebaaca3da9a0d6e74c20279fbc4c
SHA256

2693175d4d61b0e6376fafa58ab6b9e61f90142373b1a2fb26203f2364127deb
SHA512

0887d1b599c85ad360d3d822a78eb5660b1a6cdb17a23cb521c7120f675b315f48a8a1412173038971fa466d447761778518e64d2c5da98a8b9fa86dd4a61135
SSDEEP

24576:cqDEvCTbMWu7rQYlBQcBiT6rprG8aX4H4444Ck9HHfeMytguVxOGzMJ8y4jfkQ8/:cTvC/MTQYxsWR7aX4H4444Ck92MGgpGQ

Score

10^/10

remcos pc collection persistence rat

Malware Config

Extracted

Family

remcos

Botnet

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-X5MJYU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2220-96-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/2220-92-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/792-94-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/792-104-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral2/memory/792-94-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2220-96-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/2952-101-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2220-92-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/2952-102-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/792-104-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	rhombical.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rhombical.vbs	rhombical.exe

Executes dropped EXE 2 IoCs

pid	Process
2700	rhombical.exe
3840	remcos.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	iexplore.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-X5MJYU = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	rhombical.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-X5MJYU = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	rhombical.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-X5MJYU = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-X5MJYU = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0003000000022752-13.dat	autoit_exe
behavioral2/files/0x0003000000022752-14.dat	autoit_exe
behavioral2/files/0x0006000000023239-31.dat	autoit_exe
behavioral2/files/0x0006000000023239-38.dat	autoit_exe
behavioral2/files/0x0006000000023239-40.dat	autoit_exe
behavioral2/memory/3436-54-0x0000000001390000-0x00000000014EE000-memory.dmp	autoit_exe
behavioral2/memory/3436-55-0x0000000001390000-0x00000000014EE000-memory.dmp	autoit_exe
behavioral2/memory/3436-57-0x0000000001390000-0x00000000014EE000-memory.dmp	autoit_exe
behavioral2/memory/3436-58-0x0000000001390000-0x00000000014EE000-memory.dmp	autoit_exe
behavioral2/memory/3436-116-0x0000000001390000-0x00000000014EE000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3840 set thread context of 3436	3840	remcos.exe	97
PID 3436 set thread context of 792	3436	iexplore.exe	98
PID 3436 set thread context of 2220	3436	iexplore.exe	99
PID 3436 set thread context of 2952	3436	iexplore.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
792	iexplore.exe
792	iexplore.exe
2952	iexplore.exe
2952	iexplore.exe
792	iexplore.exe
792	iexplore.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3840	remcos.exe
3436	iexplore.exe
3436	iexplore.exe
3436	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	iexplore.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 2700	4416	2.scr	92
PID 4416 wrote to memory of 2700	4416	2.scr	92
PID 4416 wrote to memory of 2700	4416	2.scr	92
PID 2700 wrote to memory of 3840	2700	rhombical.exe	96
PID 2700 wrote to memory of 3840	2700	rhombical.exe	96
PID 2700 wrote to memory of 3840	2700	rhombical.exe	96
PID 3840 wrote to memory of 3436	3840	remcos.exe	97
PID 3840 wrote to memory of 3436	3840	remcos.exe	97
PID 3840 wrote to memory of 3436	3840	remcos.exe	97
PID 3840 wrote to memory of 3436	3840	remcos.exe	97
PID 3436 wrote to memory of 792	3436	iexplore.exe	98
PID 3436 wrote to memory of 792	3436	iexplore.exe	98
PID 3436 wrote to memory of 792	3436	iexplore.exe	98
PID 3436 wrote to memory of 792	3436	iexplore.exe	98
PID 3436 wrote to memory of 2220	3436	iexplore.exe	99
PID 3436 wrote to memory of 2220	3436	iexplore.exe	99
PID 3436 wrote to memory of 2220	3436	iexplore.exe	99
PID 3436 wrote to memory of 2220	3436	iexplore.exe	99
PID 3436 wrote to memory of 2952	3436	iexplore.exe	100
PID 3436 wrote to memory of 2952	3436	iexplore.exe	100
PID 3436 wrote to memory of 2952	3436	iexplore.exe	100
PID 3436 wrote to memory of 2952	3436	iexplore.exe	100

C:\Users\Admin\AppData\Local\Temp\2.scr
"C:\Users\Admin\AppData\Local\Temp\2.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\caulds\rhombical.exe
  "C:\Users\Admin\AppData\Local\Temp\2.scr" /S
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3436
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\etpvxq"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\onuoyjomln"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:2220
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rhayzbzgzvbwu"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
5a9b2dcdbe54a7f4d02651d6775778f3

SHA1
0048ef0fb9a292cf21a3d9e7ced2b6580c0260db

SHA256
4bcb9e00a1478d418d894c67149eed409bdb3027117052cbc31d489f0c67985a

SHA512
e0eccd8e38e396dbeac5c7e22476d2224ae976f79e179380897ac9ac6f13b02bc60720c70e59b31d24493e1efe2544999e4083b2bcf21c1ea77ea6d7fc55c407

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.9MB

MD5
2b2fef3553ae3e4b29416f95e89e0eaf

SHA1
55e6525994615de271dc6d63d33bd7d5301c3e50

SHA256
a49fe8cbb0fb2e9edbe92b3fe159a4fa874315a75e8931d4065d9c290f795f18

SHA512
4c839d0896b0898f697339deb82f950b521c0d044a26e238c171adc41a674425560e5536d017527306790cc6756beb0d6fa11a4e097b0a05ff3dca50005aa41d

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
527KB

MD5
07adc5d871b631e30ce6c363d4d7f402

SHA1
9aea2ddf238dab43437478926c5c199d4603bab2

SHA256
88784777b90543778d0a65f41d3f993a36144646c42232b975fa03a54ec8a658

SHA512
0c2bca04d4ceb609b113ad44afe835fd9f66246870c947f953224e33c1fa0edbde1ffc5dc491962d0ae2f32ac2de7a8758048347b3d71822c83299953efdae82

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
711KB

MD5
833f188375ae3aaaa63a720de1c8254a

SHA1
a30a166d5bdb4d523ef98c703203431b59d95e39

SHA256
d595f2a6a54c2e158eea4e3e8b9498ab9c654ba38b409be6237b87474a5e2da1

SHA512
8b443217af603c2637f354f6b9ed19778d1f39f67d8ab14a77321692a455a3a433560aade3129840b8f7c414c238f7ad522de3d981d66050f091cfd52ad904fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA076.tmp

Filesize
399KB

MD5
f7a418c04bf1302712c6a41db18b3ec5

SHA1
8f1fe9e0ec7aac3f80ac88e62fbfc050481b3a88

SHA256
3cea15e12b32a4e776f7e9e1fc460c1f4b0940be5c137ccc7283ffbab1d962c3

SHA512
16605bcfa781f5a6571e1c13c8da663d1e15af1878c01d8c8acf7057887fec85651c55846fe06ff4a9470b4ea14607c42ead9b66abd8eef844001b4473f9b437

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA0F4.tmp

Filesize
9KB

MD5
072437d34391704679dd00605b4babf1

SHA1
385874985bcfd10b26646f3b5c0740767fb17699

SHA256
d13e11c016e13fb3adf718f3d33ce136564a8225001e22027da6fee3429c4397

SHA512
48b36ba1c8b4d20d860437f9e3735118ce2a259b67a452dc92db58afbfb095a6444381eacd77e4519a047cdf2d4653b3f34da7bf54407a3792a0b883b46af4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpvxq

Filesize
4KB

MD5
36d8afcc508db22768f4a9d83187a515

SHA1
256cc1bf3150d1f0504ec452d67564d471617591

SHA256
439774341ec7cb11308989acce149b2b2d84ff071f449e228578863a8364fa31

SHA512
3993d04cc39d50447e829ae8b36e04635a6fc3784bda73dacf9acc445a804d2659bdb79ff6f953a1e18f985ec39d6b1299a33aa836fdde45e02163faed2d6acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\phytographical

Filesize
28KB

MD5
e9c3487e18f02a26afec6b8525e5ad13

SHA1
4acf63278ad3aa75dc73dac5dd53e242deccb5f9

SHA256
242dceb727cef89862f0b17fa17d322fb50b7c1a67179aae65b355228da60acb

SHA512
ed8c69f13e11b42563ddb1c87c6700f01fa77f32a58a19f03b14c38f84e8c276704055f7d6fcc7e655a47f1fa1943d7148e928125ee4512ba8033e1e300aebf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\renowner

Filesize
482KB

MD5
d4a57340a82aa655df00022d81d98675

SHA1
30c124061b858c44546b80a0aec240f9362ca556

SHA256
182b3e1bc256d1546158206de8e2b23371ea7d83c2f9a1b070ba02471c60a746

SHA512
8d4f5530cec31adf96149d448aa16fcc40e0a668f81e2dbc7bfb53eb08f1898a2c3f3183197073c3befa61d968be37524c24e2f23e9a8182490e2055760f390f

Download Submit
C:\Users\Admin\AppData\Local\caulds\rhombical.exe

Filesize
7.5MB

MD5
238645c0b9dd26d0f354436936b9a28c

SHA1
aca136e2cef1509ae8d0ad3de1dd5388b3206c57

SHA256
b3066005fc8c7a241bb6e675becaf16ddd55f7c878a1a22d85fe932d8ae7b6e8

SHA512
ac30e36c145138d42db7000709c5f9eda6e856632abee39de5f4a086c93e79c595890ea951edc491d61a4df685622620e6ada830ac0a59c54aaf22bee39ffffa

Download Submit
C:\Users\Admin\AppData\Local\caulds\rhombical.exe

Filesize
8.8MB

MD5
3fc9e0ae17eaa91f06768415404739da

SHA1
36dba9065351bd5cbc72850d3e77fac8413d8f19

SHA256
fd2c000f607593940396294723e88c461ce598e2adef05347e8a8e231f77f4a2

SHA512
22c42819a2c78002acc81ca826ac79e93a9b7772fb04f55ea5883d52702e18c450e3baff996b18502ef4fa8196a6a4a07e2ac2db6018d6e3ff33635b40ec8a5c

Download Submit
memory/792-94-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/792-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/792-88-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/792-84-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2220-90-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2220-85-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2220-92-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2220-96-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2700-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2700-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2952-101-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-89-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-95-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-102-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3436-113-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-109-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-58-0x0000000001390000-0x00000000014EE000-memory.dmp

Filesize
1.4MB

Download
memory/3436-57-0x0000000001390000-0x00000000014EE000-memory.dmp

Filesize
1.4MB

Download
memory/3436-55-0x0000000001390000-0x00000000014EE000-memory.dmp

Filesize
1.4MB

Download
memory/3436-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-143-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-110-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-111-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-106-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3436-54-0x0000000001390000-0x00000000014EE000-memory.dmp

Filesize
1.4MB

Download
memory/3436-116-0x0000000001390000-0x00000000014EE000-memory.dmp

Filesize
1.4MB

Download
memory/3436-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3436-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3840-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3840-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4416-10-0x00000000013C0000-0x00000000013C4000-memory.dmp

Filesize
16KB

Download