remcos | 9df34db4426f1e4b552636fd8ac7d48c919ba88eb3f402280a43b451f6bcfc42

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a3f3e598d83fa8ee8a25857dd8eac7.exe
Size

1.3MB
MD5

c0a3f3e598d83fa8ee8a25857dd8eac7
SHA1

bb2d23cc6f0050192840861534d7f8e4d227c8fc
SHA256

9df34db4426f1e4b552636fd8ac7d48c919ba88eb3f402280a43b451f6bcfc42
SHA512

c4ded8b4d6e7dde536cf429ce54c50a979f43562ce137e7b82c0c5fd4ec216573ba87b4088a3ee4a0f4a1aa8a4cda0a41f088879835104a987ba9608b98bf2d2
SSDEEP

24576:rAOcZAh/UjDCacEZHkbeNWe1E7mtq2D9lH38KyO14OuKOw7scoPE+FQYcXGI99:tl9Db97iBZlX8rO3JOzco8+6T99

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

RemoteHost

a2ztradiingventures.ddns.net:3814

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-J15A38
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2404	nmdpgv.pif
1376	RegSvcs.exe

Loads dropped DLL 5 IoCs

pid	Process
1112	c0a3f3e598d83fa8ee8a25857dd8eac7.exe
1112	c0a3f3e598d83fa8ee8a25857dd8eac7.exe
1112	c0a3f3e598d83fa8ee8a25857dd8eac7.exe
1112	c0a3f3e598d83fa8ee8a25857dd8eac7.exe
2404	nmdpgv.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\23807057\\nmdpgv.pif c:\\23807057\\iqcd.vel"	nmdpgv.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 1376	2404	nmdpgv.pif	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2404	nmdpgv.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1376	RegSvcs.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2404	1112	c0a3f3e598d83fa8ee8a25857dd8eac7.exe	28
PID 1112 wrote to memory of 2404	1112	c0a3f3e598d83fa8ee8a25857dd8eac7.exe	28
PID 1112 wrote to memory of 2404	1112	c0a3f3e598d83fa8ee8a25857dd8eac7.exe	28
PID 1112 wrote to memory of 2404	1112	c0a3f3e598d83fa8ee8a25857dd8eac7.exe	28
PID 2404 wrote to memory of 2540	2404	nmdpgv.pif	29
PID 2404 wrote to memory of 2540	2404	nmdpgv.pif	29
PID 2404 wrote to memory of 2540	2404	nmdpgv.pif	29
PID 2404 wrote to memory of 2540	2404	nmdpgv.pif	29
PID 2404 wrote to memory of 2352	2404	nmdpgv.pif	30
PID 2404 wrote to memory of 2352	2404	nmdpgv.pif	30
PID 2404 wrote to memory of 2352	2404	nmdpgv.pif	30
PID 2404 wrote to memory of 2352	2404	nmdpgv.pif	30
PID 2404 wrote to memory of 324	2404	nmdpgv.pif	31
PID 2404 wrote to memory of 324	2404	nmdpgv.pif	31
PID 2404 wrote to memory of 324	2404	nmdpgv.pif	31
PID 2404 wrote to memory of 324	2404	nmdpgv.pif	31
PID 2404 wrote to memory of 1748	2404	nmdpgv.pif	32
PID 2404 wrote to memory of 1748	2404	nmdpgv.pif	32
PID 2404 wrote to memory of 1748	2404	nmdpgv.pif	32
PID 2404 wrote to memory of 1748	2404	nmdpgv.pif	32
PID 2404 wrote to memory of 2104	2404	nmdpgv.pif	33
PID 2404 wrote to memory of 2104	2404	nmdpgv.pif	33
PID 2404 wrote to memory of 2104	2404	nmdpgv.pif	33
PID 2404 wrote to memory of 2104	2404	nmdpgv.pif	33
PID 2404 wrote to memory of 2752	2404	nmdpgv.pif	36
PID 2404 wrote to memory of 2752	2404	nmdpgv.pif	36
PID 2404 wrote to memory of 2752	2404	nmdpgv.pif	36
PID 2404 wrote to memory of 2752	2404	nmdpgv.pif	36
PID 2404 wrote to memory of 564	2404	nmdpgv.pif	37
PID 2404 wrote to memory of 564	2404	nmdpgv.pif	37
PID 2404 wrote to memory of 564	2404	nmdpgv.pif	37
PID 2404 wrote to memory of 564	2404	nmdpgv.pif	37
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38
PID 2404 wrote to memory of 1376	2404	nmdpgv.pif	38

C:\Users\Admin\AppData\Local\Temp\c0a3f3e598d83fa8ee8a25857dd8eac7.exe
"C:\Users\Admin\AppData\Local\Temp\c0a3f3e598d83fa8ee8a25857dd8eac7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\23807057\nmdpgv.pif
  "C:\23807057\nmdpgv.pif" iqcd.vel
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:324
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:564
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\23807057\ckrfvem.exe

Filesize
970KB

MD5
291c0ced67797962de776166ecfe43c5

SHA1
71a78d36a40d8fea4535a8cb67b30b1e322ea77d

SHA256
0336925b06ee2e8b8c4ba480abe122ffc4a207623a0ec7129c6288ea0496a181

SHA512
7cd791f8db5e8b5553501ef39acfcf3e6ef9fbb652f75a54a9ac28d2451ad2b948870a77bd6ff85d016b2e5b166d166fd6b7f173320a6d2fcdff8171405737f8

Download Submit
C:\23807057\iqcd.vel

Filesize
8.1MB

MD5
7573ba026f4d0c89736c8c1cfab5c12f

SHA1
8cd9e17fc9d5ba0f349ef1156f77b7b72ac4a807

SHA256
15e6d3611cee9f9f1080b2269e40ca9afdbdcd15400daa6ab4949f54a151ea71

SHA512
965f6a256f1a96181b65b4de73469553c7dba9c249dcc93859dc004eb3fe56bfb4d484bb3def8b0cf945280fa7a7b5394bf08dd09b8ea0d39ca6745eebd884fb

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
148B

MD5
b712510f3034bf93b922506d1c128954

SHA1
8b21f6eb5af73001db242e9ae45db8a1393313d4

SHA256
b896ab1b6192978aa9babc45fb89af1239db6ef07ec08ad3c66b138cf7ed79ee

SHA512
ea48dbd3ce651e110f469051bc76594f9ff5d0b96bee2db317a72c8884c482117c352c1d980299b1c1a852df41e806fd37f89b6a9466c9c0c074ea724f87f5f0

Download Submit
\23807057\nmdpgv.pif

Filesize
649KB

MD5
e423fa6f72ef1a0d63ef5f85380657d6

SHA1
83114ec1db55867fde6d249352fcb3c52ef53af2

SHA256
4c38d6dc99e8219ccc923bddc94c9298f6b5aee6b4b42323d924cffdeafd356e

SHA512
687407a6354547f11faf190472e5fa5c50c0d01d911823b372d80029054e2e830c08b2a9100f5f1b1a742d0755bddfb784854bd7431f98b6b352010e2d01dac3

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1376-88-0x0000000000320000-0x000000000087E000-memory.dmp

Filesize
5.4MB

Download
memory/1376-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1376-91-0x0000000000320000-0x000000000087E000-memory.dmp

Filesize
5.4MB

Download
memory/1376-92-0x0000000000320000-0x000000000087E000-memory.dmp

Filesize
5.4MB

Download
memory/1376-93-0x0000000000320000-0x000000000087E000-memory.dmp

Filesize
5.4MB

Download
memory/1376-95-0x0000000000320000-0x000000000087E000-memory.dmp

Filesize
5.4MB

Download
memory/1376-96-0x0000000000320000-0x000000000087E000-memory.dmp

Filesize
5.4MB

Download
memory/1376-101-0x0000000000320000-0x000000000087E000-memory.dmp

Filesize
5.4MB

Download
memory/1376-85-0x0000000000320000-0x000000000087E000-memory.dmp

Filesize
5.4MB

Download