remcos | a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490

General

Target

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
Size

998KB
MD5

3c799830186bb6a7d63083ba711c551d
SHA1

c6b90d7469836e55207608fe46ca201a83d3aa47
SHA256

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490
SHA512

b9719254257581c6648fbe7f3c379326f96a299d6c46bd7870c88917a70fcc1c13f2ca1ed148b42e13958a31b78fc53c9a1a047838aea1ace46e02881bc86494
SSDEEP

12288:ukH6ayww0yNDAooku24inFf7DCwHVr1cErwHJ5Z2r4cdhu6YgX7ZL2OvIpdbMaGv:r6ajKqo+2rnF9SHYkGTX9KOAr/xAP

Score

10^/10

remcos host rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

37.120.235.114:2269

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FCA9SV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4040-20-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-21-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-24-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-28-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-36-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-37-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-43-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-77-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-79-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-80-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-85-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-86-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-92-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-93-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-98-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-99-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-104-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-106-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-111-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4040-112-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1168-8-0x0000000005250000-0x000000000525C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

description	pid	process	target process
PID 1168 set thread context of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4936 schtasks.exe

pid	process
4936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exepowershell.exe

pid	process
1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
2372	powershell.exe
1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
2372	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
Token: SeDebugPrivilege	2372	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

pid process

4040 a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

pid	process
4040	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

C:\Users\Admin\AppData\Local\Temp\a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
"C:\Users\Admin\AppData\Local\Temp\a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eRiJQqC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eRiJQqC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp"
2⤵
- Creates scheduled task(s)
PID:4936

C:\Users\Admin\AppData\Local\Temp\a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
"C:\Users\Admin\AppData\Local\Temp\a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
8ab31cf90f71eb0a2afba615312ba4ed

SHA1
b5ae20aa916d2f9e4f38dba3e5d5396034832dbe

SHA256
e9ff00fd1fb588e07e284f30cf96ed58008dee651fafbadffb484f24e8e2baec

SHA512
19f521d5633ae944e0210026c998bff81ed85f586930ae4e40c49148e6c08cca746309c51c014cdfcccbd736abd38feabed8d9e48ebe0b66a2c5688fbf2f8646

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4i3lblr0.3oo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp
Filesize
1KB

MD5
913c9da392a3931e0f247594c089b420

SHA1
b03b459e3d0913a35305b900b05b75c870b9b5ac

SHA256
58e84843037fac23347f8b39decb3979959cd4b19e89cb72629a25be50bf8247

SHA512
c13ac1cd7a8050e334bf25909b8defae7f642d1e4a5e08a8313a4adfbf6642756654f3b5fcc2871761fab9669a73d55d3cbbf8491569de0eeba4065f999177b9

Download Submit
memory/1168-5-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/1168-3-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/1168-4-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/1168-2-0x0000000005290000-0x0000000005834000-memory.dmp

Filesize
5.6MB

Download
memory/1168-6-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/1168-7-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/1168-8-0x0000000005250000-0x000000000525C000-memory.dmp

Filesize
48KB

Download
memory/1168-9-0x00000000068A0000-0x0000000006960000-memory.dmp

Filesize
768KB

Download
memory/1168-29-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1168-1-0x0000000000210000-0x0000000000310000-memory.dmp

Filesize
1024KB

Download
memory/1168-0-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2372-45-0x0000000006390000-0x00000000063DC000-memory.dmp

Filesize
304KB

Download
memory/2372-42-0x0000000005D70000-0x00000000060C4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-18-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/2372-25-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/2372-22-0x0000000005330000-0x0000000005352000-memory.dmp

Filesize
136KB

Download
memory/2372-26-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/2372-14-0x0000000004D10000-0x0000000004D46000-memory.dmp

Filesize
216KB

Download
memory/2372-73-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2372-70-0x0000000007930000-0x0000000007938000-memory.dmp

Filesize
32KB

Download
memory/2372-69-0x0000000007950000-0x000000000796A000-memory.dmp

Filesize
104KB

Download
memory/2372-68-0x0000000007850000-0x0000000007864000-memory.dmp

Filesize
80KB

Download
memory/2372-67-0x0000000007840000-0x000000000784E000-memory.dmp

Filesize
56KB

Download
memory/2372-19-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/2372-66-0x0000000007810000-0x0000000007821000-memory.dmp

Filesize
68KB

Download
memory/2372-15-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/2372-44-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/2372-16-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2372-46-0x000000007F6C0000-0x000000007F6D0000-memory.dmp

Filesize
64KB

Download
memory/2372-47-0x00000000068B0000-0x00000000068E2000-memory.dmp

Filesize
200KB

Download
memory/2372-58-0x00000000074B0000-0x00000000074CE000-memory.dmp

Filesize
120KB

Download
memory/2372-60-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/2372-59-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/2372-48-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/2372-61-0x00000000074D0000-0x0000000007573000-memory.dmp

Filesize
652KB

Download
memory/2372-63-0x0000000007610000-0x000000000762A000-memory.dmp

Filesize
104KB

Download
memory/2372-62-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/2372-64-0x0000000007680000-0x000000000768A000-memory.dmp

Filesize
40KB

Download
memory/2372-65-0x0000000007890000-0x0000000007926000-memory.dmp

Filesize
600KB

Download
memory/4040-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4040-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

description	pid	process	target process
PID 1168 wrote to memory of 2372	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	powershell.exe
PID 1168 wrote to memory of 2372	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	powershell.exe
PID 1168 wrote to memory of 2372	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	powershell.exe
PID 1168 wrote to memory of 4936	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	schtasks.exe
PID 1168 wrote to memory of 4936	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	schtasks.exe
PID 1168 wrote to memory of 4936	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	schtasks.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
PID 1168 wrote to memory of 4040	1168	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe	a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads