remcos | 438b28e431212ff427da7daac3aa292279653fce1c4fcefa29b7fafb61beaa39

General

Target

72d9328652d8cdcab7d7efb7d97263a5.exe
Size

1.2MB
MD5

72d9328652d8cdcab7d7efb7d97263a5
SHA1

69a36d2e0d603bf4d172a832b3bc66961c1fdca8
SHA256

438b28e431212ff427da7daac3aa292279653fce1c4fcefa29b7fafb61beaa39
SHA512

094eccb8b09ac04f624e83bb9c8ce4b3f632114c921815596698623f754e72e3515cb5dbd4a0404b850cbf63bac497d1b768917f64f276f54976234bce848af3
SSDEEP

24576:Si/6oq/d3EeCGf7r6Mobb1zUzgcn4SYRM:SiqPfR41zUzdnCR

Score

10^/10

remcos new1 persistence rat

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

new1

C2

172.93.187.66:1642

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-BLXH2T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/4688-7-0x0000000005290000-0x00000000052A2000-memory.dmp	CustAttr

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

remcos.exe72d9328652d8cdcab7d7efb7d97263a5.exe72d9328652d8cdcab7d7efb7d97263a5.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	72d9328652d8cdcab7d7efb7d97263a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	72d9328652d8cdcab7d7efb7d97263a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

2340 remcos.exe
3820 remcos.exe

pid	process
2340	remcos.exe
3820	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

72d9328652d8cdcab7d7efb7d97263a5.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	72d9328652d8cdcab7d7efb7d97263a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

72d9328652d8cdcab7d7efb7d97263a5.exeremcos.exe

description	pid	process	target process
PID 4688 set thread context of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 2340 set thread context of 3820	2340	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4300 schtasks.exe
2484 schtasks.exe

pid	process
4300	schtasks.exe
2484	schtasks.exe

Modifies registry class 1 IoCs

Processes:

72d9328652d8cdcab7d7efb7d97263a5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	72d9328652d8cdcab7d7efb7d97263a5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

72d9328652d8cdcab7d7efb7d97263a5.exeremcos.exe

pid process

4688 72d9328652d8cdcab7d7efb7d97263a5.exe
2340 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

72d9328652d8cdcab7d7efb7d97263a5.exeremcos.exe

description pid process

Token: SeDebugPrivilege 4688 72d9328652d8cdcab7d7efb7d97263a5.exe
Token: SeDebugPrivilege 2340 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

3820 remcos.exe

pid	process
4688	72d9328652d8cdcab7d7efb7d97263a5.exe
2340	remcos.exe

description	pid	process
Token: SeDebugPrivilege	4688	72d9328652d8cdcab7d7efb7d97263a5.exe
Token: SeDebugPrivilege	2340	remcos.exe

pid	process
3820	remcos.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

72d9328652d8cdcab7d7efb7d97263a5.exe72d9328652d8cdcab7d7efb7d97263a5.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 4688 wrote to memory of 4300	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	schtasks.exe
PID 4688 wrote to memory of 4300	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	schtasks.exe
PID 4688 wrote to memory of 4300	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	schtasks.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 4688 wrote to memory of 1108	4688	72d9328652d8cdcab7d7efb7d97263a5.exe	72d9328652d8cdcab7d7efb7d97263a5.exe
PID 1108 wrote to memory of 5108	1108	72d9328652d8cdcab7d7efb7d97263a5.exe	WScript.exe
PID 1108 wrote to memory of 5108	1108	72d9328652d8cdcab7d7efb7d97263a5.exe	WScript.exe
PID 1108 wrote to memory of 5108	1108	72d9328652d8cdcab7d7efb7d97263a5.exe	WScript.exe
PID 5108 wrote to memory of 4984	5108	WScript.exe	cmd.exe
PID 5108 wrote to memory of 4984	5108	WScript.exe	cmd.exe
PID 5108 wrote to memory of 4984	5108	WScript.exe	cmd.exe
PID 4984 wrote to memory of 2340	4984	cmd.exe	remcos.exe
PID 4984 wrote to memory of 2340	4984	cmd.exe	remcos.exe
PID 4984 wrote to memory of 2340	4984	cmd.exe	remcos.exe
PID 2340 wrote to memory of 2484	2340	remcos.exe	schtasks.exe
PID 2340 wrote to memory of 2484	2340	remcos.exe	schtasks.exe
PID 2340 wrote to memory of 2484	2340	remcos.exe	schtasks.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe
PID 2340 wrote to memory of 3820	2340	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\72d9328652d8cdcab7d7efb7d97263a5.exe
"C:\Users\Admin\AppData\Local\Temp\72d9328652d8cdcab7d7efb7d97263a5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXORHiROtWShg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30BF.tmp"
2⤵
- Creates scheduled task(s)
PID:4300

C:\Users\Admin\AppData\Local\Temp\72d9328652d8cdcab7d7efb7d97263a5.exe
"C:\Users\Admin\AppData\Local\Temp\72d9328652d8cdcab7d7efb7d97263a5.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXORHiROtWShg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp565.tmp"
6⤵
- Creates scheduled task(s)
PID:2484

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
418B

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp30BF.tmp
Filesize
1KB

MD5
30392956da9f125cab9d2c897045197e

SHA1
f6ad73327df198ccb61b805902ae0bbcf397b195

SHA256
274da77b925f2bc1781a47c4585aa434ab38edfa7508687a6a45d63b8333ce05

SHA512
18e34cd50e42141de1fa27a0c7df9132c02ff50a0964e7bfbc65c2bc4c4ee81efd4ca41e4ae8a5e281d7fcd62415d73b8a51bc3edaba4d1056f7fc733087ea9a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\logs.dat
Filesize
148B

MD5
a00556fb4b01d44016b0635bdd5eff51

SHA1
3c0d983cd6200817b3914beda357112f36cb8f3f

SHA256
529ea71d311acd2c69e035d03d9d9538616e15ab93b6d9f5af5609279baa4d20

SHA512
2f4a8ebedfb828b558e99985f37074156a0cff81fe10d78a1f8c442322706b22936387f3320202b19170b81f18d1397765d01a90ef1646159fc52f377f415ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
Filesize
574KB

MD5
e02beadf1e9d48a04dfa7b17beec96be

SHA1
e0118e15433ac4acc2b270142aa9eeac3a4956d7

SHA256
c262d1f6d7748bdbff226c6c7bed331619887289b383ec7a313d7efb435a5f93

SHA512
1808a01873eadafd89df3684f54368179f534d3f5484c3a9b4ab9a4eafcc1365841ffa87985e170767954c6f355d4691f41501caff9a285ea7183ec665563ebc

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
Filesize
650KB

MD5
cce1884a365d1b3cb6ace6dff5bbd50f

SHA1
6457df536774efd9a417e45271a1c15ae95d4c50

SHA256
695dc53a6e0d597871de79a61e3cc9b2c9176e911cb25bfb8e0c8c0265cfb6f1

SHA512
97baf3515220ad53a9edb92a87de2cbe5c87225fe444fd17bae367adeff9e29e519e74a0fcaf296d97ce10c38b033cd7cf8f49f1eeafd010d86101fb04b9466a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
Filesize
618KB

MD5
836f9b49d9475e5e1c02422d8250a4b0

SHA1
6f694501cf40dd2c5438a5d17c876c85d97a4012

SHA256
ea49208feb72189ac7af657cce8be00a7de472b100f8df5d87e60c66b8ec5c33

SHA512
5cec60f1d5411f83b5f300fd253e8628099c0206f9a57b692090dee76d54197cef782afae9e41c8c772cff2e1a40561daa2d6fdca804e6de69a975145fd9a15e

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
Filesize
1.0MB

MD5
4803e17b876f8ffe55d12864362877ba

SHA1
704d9a14585517c7c3e1a0642f7f13224304fdff

SHA256
0c00f9d84bba215e919c284647673f7cf75f41f51dbaf0d366b1a3a39945b5c5

SHA512
0b7b8c71d128df74012f51d7c63ac57ecfcacc7839c656d70917b000184cb0a958bb71bea685dda1f5003c76290b8a7eb60f63aaa2303e0421d81200825b2c76

Download Submit
memory/1108-27-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1108-20-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1108-17-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1108-18-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1108-21-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2340-44-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/2340-35-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2340-34-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/2340-33-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2340-32-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/3820-41-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3820-40-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3820-52-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3820-46-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3820-47-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3820-43-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4688-4-0x00000000052B0000-0x000000000534C000-memory.dmp

Filesize
624KB

Download
memory/4688-7-0x0000000005290000-0x00000000052A2000-memory.dmp

Filesize
72KB

Download
memory/4688-11-0x0000000008FF0000-0x0000000009068000-memory.dmp

Filesize
480KB

Download
memory/4688-10-0x0000000006AC0000-0x0000000006B92000-memory.dmp

Filesize
840KB

Download
memory/4688-2-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/4688-24-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4688-8-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4688-1-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4688-3-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/4688-6-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/4688-9-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4688-5-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4688-0-0x00000000005E0000-0x0000000000718000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads