remcos | a25bdcab7a38affd0798e5d674341724726c866e7cd7348b3d75bdb47ccca230

General

Target

c5YXaP80M6975Ej.exe
Size

891KB
MD5

52f0f8c78caa712137ac2f2528738b75
SHA1

73cb280eb0ae2d807b9a7a928ab4634d7376a0ed
SHA256

a25bdcab7a38affd0798e5d674341724726c866e7cd7348b3d75bdb47ccca230
SHA512

25a37723954cb765dab04b03837e792990a63d6fe752f354b24c7b78e601cd4cab3e0e1c53ecec633e7bcc7d6a72e105036d12a6bd607d080a6e7d4e47385446
SSDEEP

24576:ewB6NgL6qamjlzHxdOGzX74iJ2RqYYjfogCPm3:V6OLPaMrxd374iJxa

Score

10^/10

remcos host rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

37.120.235.114:2269

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FCA9SV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c5YXaP80M6975Ej.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c5YXaP80M6975Ej.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c5YXaP80M6975Ej.exe

description pid process target process

PID 3992 set thread context of 3132 3992 c5YXaP80M6975Ej.exe c5YXaP80M6975Ej.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4992 schtasks.exe

description	pid	process	target process
PID 3992 set thread context of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe

pid	process
4992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

c5YXaP80M6975Ej.exepowershell.exe

pid	process
3992	c5YXaP80M6975Ej.exe
3992	c5YXaP80M6975Ej.exe
3992	c5YXaP80M6975Ej.exe
3992	c5YXaP80M6975Ej.exe
492	powershell.exe
492	powershell.exe
492	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c5YXaP80M6975Ej.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3992 c5YXaP80M6975Ej.exe
Token: SeDebugPrivilege 492 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c5YXaP80M6975Ej.exe

pid process

3132 c5YXaP80M6975Ej.exe

description	pid	process
Token: SeDebugPrivilege	3992	c5YXaP80M6975Ej.exe
Token: SeDebugPrivilege	492	powershell.exe

pid	process
3132	c5YXaP80M6975Ej.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c5YXaP80M6975Ej.exe

description	pid	process	target process
PID 3992 wrote to memory of 492	3992	c5YXaP80M6975Ej.exe	powershell.exe
PID 3992 wrote to memory of 492	3992	c5YXaP80M6975Ej.exe	powershell.exe
PID 3992 wrote to memory of 492	3992	c5YXaP80M6975Ej.exe	powershell.exe
PID 3992 wrote to memory of 4992	3992	c5YXaP80M6975Ej.exe	schtasks.exe
PID 3992 wrote to memory of 4992	3992	c5YXaP80M6975Ej.exe	schtasks.exe
PID 3992 wrote to memory of 4992	3992	c5YXaP80M6975Ej.exe	schtasks.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe
PID 3992 wrote to memory of 3132	3992	c5YXaP80M6975Ej.exe	c5YXaP80M6975Ej.exe

C:\Users\Admin\AppData\Local\Temp\c5YXaP80M6975Ej.exe
"C:\Users\Admin\AppData\Local\Temp\c5YXaP80M6975Ej.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sirYRCGgC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sirYRCGgC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FF0.tmp"
2⤵
- Creates scheduled task(s)
PID:4992

C:\Users\Admin\AppData\Local\Temp\c5YXaP80M6975Ej.exe
"C:\Users\Admin\AppData\Local\Temp\c5YXaP80M6975Ej.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
39bc8153bc5dcad43146a79497c98339

SHA1
8bb85a95b9659313e4998c0012297f46bc87a4d5

SHA256
281361825048652f37002f13ef4a29064b4e384868930a9c3c244fd4a352c4e7

SHA512
23098a56234e050639e3057961f1003ee708bdcf6913f6358ba3453854980ba07fb3ab851179e25244009986881b3b3bb169ff74643ded4b208fc45b8c458d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fyo4b2gs.w3j.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FF0.tmp
Filesize
1KB

MD5
dd4b14bad275e9e7568e3f4ebebc53b7

SHA1
953f922207c16edb0cfeb0fb97e2d81ad7ccaa36

SHA256
1bb7c06faff1ec7c8c6ddfc1ac79f5f0f96c8fddb4b9aa72d2e2a454f377883f

SHA512
e7f2947fc0fac5d88b7946243d9a17e9b906d6f2e176f813ace44b7840a2f3c64e450a2ce8b9131f04bda488d5983476080820697c811cb7cb5097b94aaef6fd

Download Submit
memory/492-74-0x00000000070B0000-0x00000000070C1000-memory.dmp

Filesize
68KB

Download
memory/492-44-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/492-81-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/492-78-0x00000000071C0000-0x00000000071C8000-memory.dmp

Filesize
32KB

Download
memory/492-77-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/492-76-0x0000000007190000-0x00000000071A4000-memory.dmp

Filesize
80KB

Download
memory/492-75-0x00000000070D0000-0x00000000070DE000-memory.dmp

Filesize
56KB

Download
memory/492-47-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/492-15-0x00000000045B0000-0x00000000045E6000-memory.dmp

Filesize
216KB

Download
memory/492-16-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/492-17-0x0000000004630000-0x0000000004640000-memory.dmp

Filesize
64KB

Download
memory/492-72-0x00000000070F0000-0x0000000007186000-memory.dmp

Filesize
600KB

Download
memory/492-71-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/492-20-0x0000000004630000-0x0000000004640000-memory.dmp

Filesize
64KB

Download
memory/492-21-0x0000000004C70000-0x0000000005298000-memory.dmp

Filesize
6.2MB

Download
memory/492-70-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/492-69-0x00000000074D0000-0x0000000007B4A000-memory.dmp

Filesize
6.5MB

Download
memory/492-68-0x0000000006B80000-0x0000000006C23000-memory.dmp

Filesize
652KB

Download
memory/492-67-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/492-57-0x0000000070F80000-0x0000000070FCC000-memory.dmp

Filesize
304KB

Download
memory/492-56-0x0000000006B40000-0x0000000006B72000-memory.dmp

Filesize
200KB

Download
memory/492-55-0x000000007FDF0000-0x000000007FE00000-memory.dmp

Filesize
64KB

Download
memory/492-54-0x0000000004630000-0x0000000004640000-memory.dmp

Filesize
64KB

Download
memory/492-32-0x0000000004B20000-0x0000000004B42000-memory.dmp

Filesize
136KB

Download
memory/492-50-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download
memory/492-34-0x0000000004BC0000-0x0000000004C26000-memory.dmp

Filesize
408KB

Download
memory/492-49-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/3132-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3992-18-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-6-0x00000000059B0000-0x00000000059C6000-memory.dmp

Filesize
88KB

Download
memory/3992-5-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/3992-7-0x0000000005E00000-0x0000000005E08000-memory.dmp

Filesize
32KB

Download
memory/3992-1-0x0000000000D40000-0x0000000000E24000-memory.dmp

Filesize
912KB

Download
memory/3992-8-0x0000000005E10000-0x0000000005E1C000-memory.dmp

Filesize
48KB

Download
memory/3992-9-0x0000000007270000-0x0000000007330000-memory.dmp

Filesize
768KB

Download
memory/3992-0-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-3-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/3992-4-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/3992-26-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-10-0x0000000009900000-0x000000000999C000-memory.dmp

Filesize
624KB

Download
memory/3992-2-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads