remcos | 2d7ed09200c40b2f12d11415ea4f46e4b35b03d7e34b11e0e3339dc4e8ed687e

General

Target

2d7ed09200c40b2f12d11415ea4f46e4b35b03d7e34b11e0e3339dc4e8ed687e.vbs
Size

520KB
MD5

a32d581b0e933298fdad8007f0bc4f48
SHA1

9ee67035856075573f66028e4694a999e647d744
SHA256

2d7ed09200c40b2f12d11415ea4f46e4b35b03d7e34b11e0e3339dc4e8ed687e
SHA512

2da41cbd5eaf178db7cf6d20cac1cafcaca02d042d5661b719ff364831164fe894443bd6bfbf78db7baaa1fae3e70e3795fe74986dd81042f3e67cc50f62ead6
SSDEEP

12288:/2q1MBozZxA1VEWdNIb/1UYe0kagh//3PBLXgIe:TCBaQOWd81Uakzx/PBLXU

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.255.114.127:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-E6UWII
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/376-18-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-19-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-21-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-23-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-24-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-26-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-27-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-28-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-29-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-30-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-31-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-33-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-34-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-35-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-40-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-43-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-44-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-51-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-52-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-67-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/376-68-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables packed with ConfuserEx Mod 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\payload.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/1328-11-0x0000000000810000-0x0000000000876000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/1328-13-0x00000000051A0000-0x0000000005206000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/1328-17-0x0000000004CA0000-0x0000000004CAA000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation WScript.exe
Executes dropped EXE 1 IoCs

Processes:

payload.exe

pid process

1328 payload.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

payload.exe

description pid process target process

PID 1328 set thread context of 376 1328 payload.exe Caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Caspol.exe

pid process

376 Caspol.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
1328	payload.exe

description	pid	process	target process
PID 1328 set thread context of 376	1328	payload.exe	Caspol.exe

pid	process
376	Caspol.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exepayload.exe

description	pid	process	target process
PID 748 wrote to memory of 1328	748	WScript.exe	payload.exe
PID 748 wrote to memory of 1328	748	WScript.exe	payload.exe
PID 748 wrote to memory of 1328	748	WScript.exe	payload.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe
PID 1328 wrote to memory of 376	1328	payload.exe	Caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d7ed09200c40b2f12d11415ea4f46e4b35b03d7e34b11e0e3339dc4e8ed687e.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\payload.exe
"C:\Users\Admin\AppData\Local\Temp\payload.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4336 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:8
1⤵
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
8b26a321cfba52b07599da9f367a7cc6

SHA1
e9bdea41ec0b14e71a32b483d7a57438396d52d8

SHA256
d4e13f43bf02fc58f47658e0141e74368f8458f46075c2b20a29d73d0f2c89e0

SHA512
573151ff7c151e6615aafd524e8d339753a4935a0c1911fc40746fe575969748522fd3d24f36f010e248bf01617dd7c0ff644c9d751184cc0f25c67034c8ed27

Download Submit
C:\Users\Admin\AppData\Local\Temp\payload.exe

Filesize
389KB

MD5
8c0877c86b2e9d59b74c245c620de3f3

SHA1
376b29b5166a8f4b9819e5ed298a801af83e03f9

SHA256
2fbab4885cb8c8b53e5afba167f6a7a14293cd2795f198c1435371f2b4f2c3a8

SHA512
804db8402855a8628b8744beb4ae562f2da94b3fb7fcf58b0614d741aa4c2460b2f2373f783407c80de03bd098506cfec2aec8b6d4624c2422616592b69ff7a9

Download Submit
memory/376-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/376-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1328-16-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1328-11-0x0000000000810000-0x0000000000876000-memory.dmp

Filesize
408KB

Download
memory/1328-12-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1328-13-0x00000000051A0000-0x0000000005206000-memory.dmp

Filesize
408KB

Download
memory/1328-14-0x0000000007DA0000-0x0000000008344000-memory.dmp

Filesize
5.6MB

Download
memory/1328-22-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1328-17-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/1328-15-0x00000000077F0000-0x0000000007882000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads