remcos | 2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65

General

Target

GST e-Payment Challan.exe
Size

548KB
MD5

10a4cb3233c444bcf6211100ab9bad9a
SHA1

2f4a679479fdff9d22226676d7a7eacab84311eb
SHA256

2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65
SHA512

0c847f9723d1e65a03d0e129555160a7730e3ab4625d488540dd82dc968b354e31ab042dd820da6b61662af62d0687696e458440ab66b940e3fa168c09af9303
SSDEEP

12288:FUH8UsiMHGMZY/QZsg4rvpvK9+uH2OG/4RY+ajkrSyxPln+07bSsEAmD:yH8XvHFA6sgyvxK4uHBLRPaArSuPl19

Score

10^/10

remcos gg rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

gg

C2

62.102.148.185:9771

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
newstart
keylog_path
%AppData%
mouse_option
false
mutex
remcos_wgwfvnfssp
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

GST e-Payment Challan.exe

description pid process target process

PID 2892 set thread context of 2436 2892 GST e-Payment Challan.exe GST e-Payment Challan.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2776 schtasks.exe

description	pid	process	target process
PID 2892 set thread context of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe

pid	process
2776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

GST e-Payment Challan.exepowershell.exepowershell.exe

pid	process
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2892	GST e-Payment Challan.exe
2612	powershell.exe
2552	powershell.exe
2892	GST e-Payment Challan.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

GST e-Payment Challan.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2892	GST e-Payment Challan.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GST e-Payment Challan.exe

pid process

2436 GST e-Payment Challan.exe

pid	process
2436	GST e-Payment Challan.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

GST e-Payment Challan.exe

description	pid	process	target process
PID 2892 wrote to memory of 2612	2892	GST e-Payment Challan.exe	powershell.exe
PID 2892 wrote to memory of 2612	2892	GST e-Payment Challan.exe	powershell.exe
PID 2892 wrote to memory of 2612	2892	GST e-Payment Challan.exe	powershell.exe
PID 2892 wrote to memory of 2612	2892	GST e-Payment Challan.exe	powershell.exe
PID 2892 wrote to memory of 2552	2892	GST e-Payment Challan.exe	powershell.exe
PID 2892 wrote to memory of 2552	2892	GST e-Payment Challan.exe	powershell.exe
PID 2892 wrote to memory of 2552	2892	GST e-Payment Challan.exe	powershell.exe
PID 2892 wrote to memory of 2552	2892	GST e-Payment Challan.exe	powershell.exe
PID 2892 wrote to memory of 2776	2892	GST e-Payment Challan.exe	schtasks.exe
PID 2892 wrote to memory of 2776	2892	GST e-Payment Challan.exe	schtasks.exe
PID 2892 wrote to memory of 2776	2892	GST e-Payment Challan.exe	schtasks.exe
PID 2892 wrote to memory of 2776	2892	GST e-Payment Challan.exe	schtasks.exe
PID 2892 wrote to memory of 2876	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2876	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2876	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2876	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe
PID 2892 wrote to memory of 2436	2892	GST e-Payment Challan.exe	GST e-Payment Challan.exe

C:\Users\Admin\AppData\Local\Temp\GST e-Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\GST e-Payment Challan.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GST e-Payment Challan.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oFkpbhjTJbn.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oFkpbhjTJbn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82A7.tmp"
2⤵
- Creates scheduled task(s)
PID:2776

C:\Users\Admin\AppData\Local\Temp\GST e-Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\GST e-Payment Challan.exe"
2⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\GST e-Payment Challan.exe
"C:\Users\Admin\AppData\Local\Temp\GST e-Payment Challan.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp82A7.tmp
Filesize
1KB

MD5
d3cb75415f43086f38d934eb2e2bc892

SHA1
95e9c1b18358fae669575b3219b2dddc9232b633

SHA256
e3b0d6c5649efbafb522be819875122ed2605ea40f8edc0a2a3215868290ded0

SHA512
69873d2dc662ff7a5bd1949e2d892fe2661fc42e25284dda7f1683d72c4cfb7c9fffafaea48d7c53f966693208dca3f19342bbe81f8aea0dd9deb89b23761595

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PX5IRDVB0TRIGX3YLASH.temp
Filesize
7KB

MD5
dab55a2b09f704f9f68e912dbecfa0d8

SHA1
2bf157e7246c985ab6657dd85279b34987f112fc

SHA256
59ce2a8374e384a174f9d9f9b76a114cd9637f469de59e069c9ab5bb848e7c2b

SHA512
a2e014b5928df52a6d6bb703fa997ad5d4f82ae05c524b5a44ddd3bcc245c99da818ebe24a708ad6976d2f2e1f2f51a1358957af1eb7043bb4f6ac36c0972513

Download Submit
memory/2436-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-54-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2436-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2552-40-0x0000000002F20000-0x0000000002F60000-memory.dmp

Filesize
256KB

Download
memory/2552-43-0x000000006F490000-0x000000006FA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-38-0x000000006F490000-0x000000006FA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-34-0x000000006F490000-0x000000006FA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-36-0x0000000002F20000-0x0000000002F60000-memory.dmp

Filesize
256KB

Download
memory/2612-41-0x000000006F490000-0x000000006FA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-39-0x000000006F490000-0x000000006FA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-37-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2612-35-0x000000006F490000-0x000000006FA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2892-5-0x0000000005C20000-0x0000000005C80000-memory.dmp

Filesize
384KB

Download
memory/2892-0-0x0000000000A50000-0x0000000000ADE000-memory.dmp

Filesize
568KB

Download
memory/2892-3-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2892-30-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-1-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2892-7-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2892-6-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-4-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads