remcos | 6f35ab9d6aed8b8df1754149da79be5cdadae7b5366e8f2be46d9370f7e920c0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.ps1
Size

1.6MB
MD5

b5795726bb04f5f9584184ae1f50777b
SHA1

91b250e76c41066a009b70200c5254a40980228b
SHA256

5d9ba7ab51a7d06ad420cb23f7c1e02b911fe2e25d7af1eebe25d1690231d784
SHA512

10ba2e523af4ccdf3e1e0867aa4d50a58919f5d39073bac17a8ab491f5ce09bcbda0730b9485a503adccfa323642b19e29879a0ad88f609d683080b668ef95fb
SSDEEP

6144:Bc4OfuoxyrvHyRmUVWZatYgOXqrDSArJFDN:xpul

Score

10^/10

remcos zgrat remotehost rat

Malware Config

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

RemoteHost

194.5.97.183:8888

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-I7JWWI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral14/memory/956-13-0x000001FD58E10000-0x000001FD58E2E000-memory.dmp	family_zgrat_v1

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 956 set thread context of 4332 956 powershell.exe aspnet_regbrowsers.exe

description	pid	process	target process
PID 956 set thread context of 4332	956	powershell.exe	aspnet_regbrowsers.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

powershell.exe

pid	process
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 956 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_regbrowsers.exe

pid process

4332 aspnet_regbrowsers.exe

description	pid	process
Token: SeDebugPrivilege	956	powershell.exe

pid	process
4332	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 956 wrote to memory of 3588	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 3588	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 3588	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 3372	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 3372	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 3372	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 64	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 64	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 64	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 1380	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 1380	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 1380	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 3860	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 3860	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 3860	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 4332	956	powershell.exe	aspnet_regbrowsers.exe
PID 956 wrote to memory of 1616	956	powershell.exe	wermgr.exe
PID 956 wrote to memory of 1616	956	powershell.exe	wermgr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Server.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:3372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:64

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "956" "2292" "2244" "2296" "0" "0" "2300" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zhmv2nj.yee.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
Filesize
262B

MD5
678aa56e8c0fd6a936ebf9965275760f

SHA1
7d4a1e85eea7d57f81d7bfdca3e9ab033a5b5ae8

SHA256
fe5a1815b6420470c5c9933d0d73ddfe734643d6b59b1fe4d2b84a6cae6181fe

SHA512
6ae7b4791b0ef65dff603fe0cc68079c32936c0b1a2705eea8fd9340205beae03b910adae26767560f6457ecab9e8f12a2260d37fced174030ae35b986b1bf2d

Download Submit
memory/956-24-0x00007FF9B9FE0000-0x00007FF9BAAA1000-memory.dmp

Filesize
10.8MB

Download
memory/956-10-0x00007FF9B9FE0000-0x00007FF9BAAA1000-memory.dmp

Filesize
10.8MB

Download
memory/956-11-0x000001FD40560000-0x000001FD40570000-memory.dmp

Filesize
64KB

Download
memory/956-13-0x000001FD58E10000-0x000001FD58E2E000-memory.dmp

Filesize
120KB

Download
memory/956-12-0x000001FD40560000-0x000001FD40570000-memory.dmp

Filesize
64KB

Download
memory/956-56-0x00007FF9B9FE0000-0x00007FF9BAAA1000-memory.dmp

Filesize
10.8MB

Download
memory/956-1-0x000001FD40570000-0x000001FD40592000-memory.dmp

Filesize
136KB

Download
memory/956-26-0x000001FD40560000-0x000001FD40570000-memory.dmp

Filesize
64KB

Download
memory/956-25-0x000001FD40560000-0x000001FD40570000-memory.dmp

Filesize
64KB

Download
memory/4332-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4332-20-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4332-19-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4332-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4332-16-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4332-29-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4332-15-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download