remcos | 7c8ffae42d7c5f375d70929da9543590016ac3c68eea797641e19c65b3124b08

General

Target

test.exe
Size

469KB
MD5

e535cbac9b6b8065d3db4866feb31077
SHA1

027f6b9d72359d7b271cc20f25e97c4f2d8b293b
SHA256

7c8ffae42d7c5f375d70929da9543590016ac3c68eea797641e19c65b3124b08
SHA512

c483607f45deaaa1c89ffc4fd1e055c2c78e610bcee34ea97bc0f7146c2a9e3f7211ba634800436e9169d79be8da3c9e8b7fceed53d5474de7d63b37b753f146
SSDEEP

12288:Ymnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSxn9:IiLJbpI7I2WhQqZ7x9

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

183.89.188.94:4153

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6DBT03
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
100	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	test.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4568	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
100	remcos.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
100	remcos.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 2832	3092	test.exe	90
PID 3092 wrote to memory of 2832	3092	test.exe	90
PID 3092 wrote to memory of 2832	3092	test.exe	90
PID 2832 wrote to memory of 2200	2832	WScript.exe	94
PID 2832 wrote to memory of 2200	2832	WScript.exe	94
PID 2832 wrote to memory of 2200	2832	WScript.exe	94
PID 2200 wrote to memory of 100	2200	cmd.exe	96
PID 2200 wrote to memory of 100	2200	cmd.exe	96
PID 2200 wrote to memory of 100	2200	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:100

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
469KB

MD5
e535cbac9b6b8065d3db4866feb31077

SHA1
027f6b9d72359d7b271cc20f25e97c4f2d8b293b

SHA256
7c8ffae42d7c5f375d70929da9543590016ac3c68eea797641e19c65b3124b08

SHA512
c483607f45deaaa1c89ffc4fd1e055c2c78e610bcee34ea97bc0f7146c2a9e3f7211ba634800436e9169d79be8da3c9e8b7fceed53d5474de7d63b37b753f146

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
c69ff23dd901eb56e1ba65b183a1c58d

SHA1
bfd6ce9d885c4b9edc0a21641b733df15d0a2212

SHA256
bc89efb65c4499e42660ceb9398e48c0bd4b477be8799a3495de0fb9cc9dc5d4

SHA512
d76f813966e607d258238dfde89e24de5df1a30d3b8fe61ea01b15e1d6ff4553e5a2259ff3ae3a867e9ce42ffeb25f3d53e610da9fd465c0fe384ab4cfcd39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
memory/4568-48-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-50-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-41-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-42-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-43-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-44-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-45-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-46-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-47-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-8-0x0000019B36440000-0x0000019B36450000-memory.dmp

Filesize
64KB

Download
memory/4568-49-0x0000019B3EAD0000-0x0000019B3EAD1000-memory.dmp

Filesize
4KB

Download
memory/4568-40-0x0000019B3EAA0000-0x0000019B3EAA1000-memory.dmp

Filesize
4KB

Download
memory/4568-51-0x0000019B3E700000-0x0000019B3E701000-memory.dmp

Filesize
4KB

Download
memory/4568-52-0x0000019B3E6F0000-0x0000019B3E6F1000-memory.dmp

Filesize
4KB

Download
memory/4568-54-0x0000019B3E700000-0x0000019B3E701000-memory.dmp

Filesize
4KB

Download
memory/4568-57-0x0000019B3E6F0000-0x0000019B3E6F1000-memory.dmp

Filesize
4KB

Download
memory/4568-60-0x0000019B35DE0000-0x0000019B35DE1000-memory.dmp

Filesize
4KB

Download
memory/4568-24-0x0000019B36540000-0x0000019B36550000-memory.dmp

Filesize
64KB

Download
memory/4568-72-0x0000019B3E820000-0x0000019B3E821000-memory.dmp

Filesize
4KB

Download
memory/4568-74-0x0000019B3E830000-0x0000019B3E831000-memory.dmp

Filesize
4KB

Download
memory/4568-75-0x0000019B3E830000-0x0000019B3E831000-memory.dmp

Filesize
4KB

Download
memory/4568-76-0x0000019B3E940000-0x0000019B3E941000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads