remcos | 9df34db4426f1e4b552636fd8ac7d48c919ba88eb3f402280a43b451f6bcfc42

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a3f3e598d83fa8ee8a25857dd8eac7.exe
Size

1.3MB
MD5

c0a3f3e598d83fa8ee8a25857dd8eac7
SHA1

bb2d23cc6f0050192840861534d7f8e4d227c8fc
SHA256

9df34db4426f1e4b552636fd8ac7d48c919ba88eb3f402280a43b451f6bcfc42
SHA512

c4ded8b4d6e7dde536cf429ce54c50a979f43562ce137e7b82c0c5fd4ec216573ba87b4088a3ee4a0f4a1aa8a4cda0a41f088879835104a987ba9608b98bf2d2
SSDEEP

24576:rAOcZAh/UjDCacEZHkbeNWe1E7mtq2D9lH38KyO14OuKOw7scoPE+FQYcXGI99:tl9Db97iBZlX8rO3JOzco8+6T99

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

RemoteHost

a2ztradiingventures.ddns.net:3814

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-J15A38
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	nmdpgv.pif
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	c0a3f3e598d83fa8ee8a25857dd8eac7.exe

Executes dropped EXE 2 IoCs

pid	Process
1680	nmdpgv.pif
3272	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\23807057\\nmdpgv.pif c:\\23807057\\iqcd.vel"	nmdpgv.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 3272	1680	nmdpgv.pif	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1680	nmdpgv.pif
1680	nmdpgv.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3272	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 1680	4212	c0a3f3e598d83fa8ee8a25857dd8eac7.exe	94
PID 4212 wrote to memory of 1680	4212	c0a3f3e598d83fa8ee8a25857dd8eac7.exe	94
PID 4212 wrote to memory of 1680	4212	c0a3f3e598d83fa8ee8a25857dd8eac7.exe	94
PID 1680 wrote to memory of 3680	1680	nmdpgv.pif	98
PID 1680 wrote to memory of 3680	1680	nmdpgv.pif	98
PID 1680 wrote to memory of 3680	1680	nmdpgv.pif	98
PID 1680 wrote to memory of 1924	1680	nmdpgv.pif	104
PID 1680 wrote to memory of 1924	1680	nmdpgv.pif	104
PID 1680 wrote to memory of 1924	1680	nmdpgv.pif	104
PID 1680 wrote to memory of 1268	1680	nmdpgv.pif	106
PID 1680 wrote to memory of 1268	1680	nmdpgv.pif	106
PID 1680 wrote to memory of 1268	1680	nmdpgv.pif	106
PID 1680 wrote to memory of 1360	1680	nmdpgv.pif	108
PID 1680 wrote to memory of 1360	1680	nmdpgv.pif	108
PID 1680 wrote to memory of 1360	1680	nmdpgv.pif	108
PID 1680 wrote to memory of 1780	1680	nmdpgv.pif	109
PID 1680 wrote to memory of 1780	1680	nmdpgv.pif	109
PID 1680 wrote to memory of 1780	1680	nmdpgv.pif	109
PID 1680 wrote to memory of 4728	1680	nmdpgv.pif	113
PID 1680 wrote to memory of 4728	1680	nmdpgv.pif	113
PID 1680 wrote to memory of 4728	1680	nmdpgv.pif	113
PID 1680 wrote to memory of 2580	1680	nmdpgv.pif	114
PID 1680 wrote to memory of 2580	1680	nmdpgv.pif	114
PID 1680 wrote to memory of 2580	1680	nmdpgv.pif	114
PID 1680 wrote to memory of 3272	1680	nmdpgv.pif	115
PID 1680 wrote to memory of 3272	1680	nmdpgv.pif	115
PID 1680 wrote to memory of 3272	1680	nmdpgv.pif	115
PID 1680 wrote to memory of 3272	1680	nmdpgv.pif	115
PID 1680 wrote to memory of 3272	1680	nmdpgv.pif	115

C:\Users\Admin\AppData\Local\Temp\c0a3f3e598d83fa8ee8a25857dd8eac7.exe
"C:\Users\Admin\AppData\Local\Temp\c0a3f3e598d83fa8ee8a25857dd8eac7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4212
- C:\23807057\nmdpgv.pif
  "C:\23807057\nmdpgv.pif" iqcd.vel
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe"
    3⤵
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\23807057\ckrfvem.exe

Filesize
970KB

MD5
291c0ced67797962de776166ecfe43c5

SHA1
71a78d36a40d8fea4535a8cb67b30b1e322ea77d

SHA256
0336925b06ee2e8b8c4ba480abe122ffc4a207623a0ec7129c6288ea0496a181

SHA512
7cd791f8db5e8b5553501ef39acfcf3e6ef9fbb652f75a54a9ac28d2451ad2b948870a77bd6ff85d016b2e5b166d166fd6b7f173320a6d2fcdff8171405737f8

Download Submit
C:\23807057\iqcd.vel

Filesize
119.8MB

MD5
f25672011b4e959d9573b072a7317b37

SHA1
cba5dd22f6c18350699c6f46f96474223052d84c

SHA256
aac0410f5ebe08b256628e5223ab71211ea0edbda418cf68923b015d85a8cc3e

SHA512
b5a199539e500e5ea811171535374fd66d1fa696d0db3a6c2ba650cef855afa91a4717bcbf8ef82d8c765c6111e113447de1a671750ae8455592097d12605244

Download Submit
C:\23807057\nmdpgv.pif

Filesize
649KB

MD5
e423fa6f72ef1a0d63ef5f85380657d6

SHA1
83114ec1db55867fde6d249352fcb3c52ef53af2

SHA256
4c38d6dc99e8219ccc923bddc94c9298f6b5aee6b4b42323d924cffdeafd356e

SHA512
687407a6354547f11faf190472e5fa5c50c0d01d911823b372d80029054e2e830c08b2a9100f5f1b1a742d0755bddfb784854bd7431f98b6b352010e2d01dac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
148B

MD5
a6a9c8d42a3d22d0f53c3765c8796d01

SHA1
57115701968530b78818f6599dec05c49f8422b4

SHA256
7c4085856bb98ca2b6078e00eb07415330a76bd17d803e5bda17249ebfab4c6a

SHA512
3e4b57ecd72cbdb313cbd478aa63036bf07d360ad1b055dbe57532be8b155ec95a7153651e3b64e3c099cad217db73e54cfa8beefb056f52298ed347b1902f6b

Download Submit
memory/3272-74-0x0000000000BA0000-0x000000000104F000-memory.dmp

Filesize
4.7MB

Download
memory/3272-76-0x0000000000BA0000-0x000000000104F000-memory.dmp

Filesize
4.7MB

Download
memory/3272-77-0x0000000000BA0000-0x000000000104F000-memory.dmp

Filesize
4.7MB

Download
memory/3272-79-0x0000000000BA0000-0x000000000104F000-memory.dmp

Filesize
4.7MB

Download
memory/3272-81-0x0000000000BA0000-0x000000000104F000-memory.dmp

Filesize
4.7MB

Download
memory/3272-82-0x0000000000BA0000-0x000000000104F000-memory.dmp

Filesize
4.7MB

Download
memory/3272-87-0x0000000000BA0000-0x000000000104F000-memory.dmp

Filesize
4.7MB

Download