remcos | a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490

General

Target

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
Size

998KB
MD5

3c799830186bb6a7d63083ba711c551d
SHA1

c6b90d7469836e55207608fe46ca201a83d3aa47
SHA256

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490
SHA512

b9719254257581c6648fbe7f3c379326f96a299d6c46bd7870c88917a70fcc1c13f2ca1ed148b42e13958a31b78fc53c9a1a047838aea1ace46e02881bc86494
SSDEEP

12288:ukH6ayww0yNDAooku24inFf7DCwHVr1cErwHJ5Z2r4cdhu6YgX7ZL2OvIpdbMaGv:r6ajKqo+2rnF9SHYkGTX9KOAr/xAP

Score

10^/10

remcos host rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

37.120.235.114:2269

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FCA9SV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 25 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2624-25-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-24-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-26-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-28-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-31-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-27-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-34-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-35-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-36-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-39-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-40-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-38-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-46-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-47-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-48-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-53-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-54-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-60-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-61-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-66-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-67-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-72-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-74-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-79-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2624-80-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2388-4-0x00000000002D0000-0x00000000002DC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Suspicious use of SetThreadContext 1 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

description	pid	process	target process
PID 2388 set thread context of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2684 schtasks.exe

pid	process
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exepowershell.exe

pid	process
2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
2608	powershell.exe
2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
Token: SeDebugPrivilege	2608	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

pid process

2624 a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

pid	process
2624	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

C:\Users\Admin\AppData\Local\Temp\a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
"C:\Users\Admin\AppData\Local\Temp\a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eRiJQqC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eRiJQqC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3736.tmp"
2⤵
- Creates scheduled task(s)
PID:2684

C:\Users\Admin\AppData\Local\Temp\a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
"C:\Users\Admin\AppData\Local\Temp\a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
8ab31cf90f71eb0a2afba615312ba4ed

SHA1
b5ae20aa916d2f9e4f38dba3e5d5396034832dbe

SHA256
e9ff00fd1fb588e07e284f30cf96ed58008dee651fafbadffb484f24e8e2baec

SHA512
19f521d5633ae944e0210026c998bff81ed85f586930ae4e40c49148e6c08cca746309c51c014cdfcccbd736abd38feabed8d9e48ebe0b66a2c5688fbf2f8646

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3736.tmp
Filesize
1KB

MD5
5a651c009f5ddc3c275ab188569d242e

SHA1
6a38d427e739633a28669ee30f1e7422a5dd46ab

SHA256
d75e5a87b7b0e45d99baf77611f425da27080c719da21acbced1596abc8b5889

SHA512
71844cfb586eead2cd5f000e50ca0d6b7a70a2b3c6645a2ec3091807c346d3ce6038f8a8c5de5523fdcb6103f68e63d32f6ef0132f3f447fcbcb584c74521e3e

Download Submit
memory/2388-33-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-0-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/2388-5-0x0000000005280000-0x0000000005340000-memory.dmp

Filesize
768KB

Download
memory/2388-2-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2388-4-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2388-3-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/2388-1-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2608-23-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/2608-41-0x000000006ECE0000-0x000000006F28B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-16-0x000000006ECE0000-0x000000006F28B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x000000006ECE0000-0x000000006F28B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-20-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/2608-21-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/2624-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2624-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

description	pid	process	target process
PID 2388 wrote to memory of 2608	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	powershell.exe
PID 2388 wrote to memory of 2608	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	powershell.exe
PID 2388 wrote to memory of 2608	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	powershell.exe
PID 2388 wrote to memory of 2608	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	powershell.exe
PID 2388 wrote to memory of 2684	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	schtasks.exe
PID 2388 wrote to memory of 2684	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	schtasks.exe
PID 2388 wrote to memory of 2684	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	schtasks.exe
PID 2388 wrote to memory of 2684	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	schtasks.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 2388 wrote to memory of 2624	2388	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads