remcos | 655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c

General

Target

655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe
Size

955KB
MD5

63fee4024d78eb5a40048322b480fda6
SHA1

44af74253f9fc3d50167e26919a361b4e51e50cf
SHA256

655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c
SHA512

b744dfa4234b429f87c1a164d4852bfbf88da196504ae222aef31c217631e26731216e30563284503721ad9b0a7d1f72422ede30550e9793e83f4629c27d1f92
SSDEEP

24576:6SmP0Y748Efdbsm8zosTXsmabDmEx+vYJck/NwTicl:6dp74jwBlXKDmEYvAKiS

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.222.58.40:1990

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-IJU1NL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 5 IoCs

resource	yara_rule
behavioral1/memory/2588-17-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2588-18-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2588-19-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2588-22-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2588-23-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2980	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	30
PID 2300 wrote to memory of 2980	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	30
PID 2300 wrote to memory of 2980	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	30
PID 2300 wrote to memory of 2980	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	30
PID 2300 wrote to memory of 2600	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	28
PID 2300 wrote to memory of 2600	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	28
PID 2300 wrote to memory of 2600	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	28
PID 2300 wrote to memory of 2600	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	28
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32
PID 2300 wrote to memory of 2588	2300	655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe	32

C:\Users\Admin\AppData\Local\Temp\655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe
"C:\Users\Admin\AppData\Local\Temp\655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DDJEjhbm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4E7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DDJEjhbm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe
  "C:\Users\Admin\AppData\Local\Temp\655f5325cf419a690c3e1d0b8bfd778155d0448a2d8003ada5e36f63b892227c.exe"
  2⤵
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA4E7.tmp

Filesize
1KB

MD5
7b6f9ec0b4cb00592598bccc5a8320cf

SHA1
ad39804abb4932eea5222fe758d7226b451c038e

SHA256
de1f115917f8ea19f426e5aae4704d90a5eaa05dc888d920d5107f368f65bc1f

SHA512
eb04599bfd3a6302c4a33d248e8b2f99aab9e3540b7ec9ebbcd39b154020c27ea410c9d9f57404c054ae58a9477a49ce29169f7474325efd82d3625f6036db53

Download Submit
memory/2300-0-0x00000000012B0000-0x00000000013A6000-memory.dmp

Filesize
984KB

Download
memory/2300-1-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-2-0x0000000005210000-0x0000000005250000-memory.dmp

Filesize
256KB

Download
memory/2300-3-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/2300-4-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2300-5-0x0000000005470000-0x0000000005530000-memory.dmp

Filesize
768KB

Download
memory/2300-9-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-26-0x0000000005210000-0x0000000005250000-memory.dmp

Filesize
256KB

Download
memory/2588-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2588-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2980-27-0x000000006E8D0000-0x000000006EE7B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-28-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2980-29-0x000000006E8D0000-0x000000006EE7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads