remcos | 0ecb16045471931b0f4ae4e6090798f3c983b74bb4fc53393aacb317eb834141

Resubmissions

24/04/2024, 09:42

240424-lpkkcage44 10

10/04/2024, 07:03

240410-hvephafc64 10

Analysis

max time kernel
138s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GST Certificate.exe
Size

624KB
MD5

dbf4b372a3908f1474045ee2ebd99688
SHA1

551ac7acf871beb4eed8218628c7d79e72cd1487
SHA256

febaf2e4a4f46a0d9cde131025f1ef3106dbf8589a0af7758d3893f9b602f2a8
SHA512

2f546b3c5ba52d891bf7ddd3586bd446c4dd608667a83ce81a551da70420facb474b3d3ff9303e7c184f5731318db5758bd0ad8639ad4eb6ca0f7c44dafe1633
SSDEEP

12288:XZNR4EoOBKMNHlgkk5B5sf6ypaU0vyG2LGcJmcMmlfW189Jmw6EAmD:RoOBrBltckSypaHvy/dO1T

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

104.254.90.187:9704

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
team
keylog_path
%AppData%
mouse_option
false
mutex
remcos_vseandhklfzfgjj
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2452	remcos.exe
1828	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
2664	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	GST Certificate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2428	2872	GST Certificate.exe	34
PID 2452 set thread context of 1828	2452	remcos.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2880	schtasks.exe
1312	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2840	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2872	GST Certificate.exe
2872	GST Certificate.exe
2644	powershell.exe
2616	powershell.exe
2452	remcos.exe
592	powershell.exe
588	powershell.exe
2452	remcos.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	GST Certificate.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2452	remcos.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	remcos.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2616	2872	GST Certificate.exe	28
PID 2872 wrote to memory of 2616	2872	GST Certificate.exe	28
PID 2872 wrote to memory of 2616	2872	GST Certificate.exe	28
PID 2872 wrote to memory of 2616	2872	GST Certificate.exe	28
PID 2872 wrote to memory of 2644	2872	GST Certificate.exe	30
PID 2872 wrote to memory of 2644	2872	GST Certificate.exe	30
PID 2872 wrote to memory of 2644	2872	GST Certificate.exe	30
PID 2872 wrote to memory of 2644	2872	GST Certificate.exe	30
PID 2872 wrote to memory of 2880	2872	GST Certificate.exe	32
PID 2872 wrote to memory of 2880	2872	GST Certificate.exe	32
PID 2872 wrote to memory of 2880	2872	GST Certificate.exe	32
PID 2872 wrote to memory of 2880	2872	GST Certificate.exe	32
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2872 wrote to memory of 2428	2872	GST Certificate.exe	34
PID 2428 wrote to memory of 2664	2428	GST Certificate.exe	35
PID 2428 wrote to memory of 2664	2428	GST Certificate.exe	35
PID 2428 wrote to memory of 2664	2428	GST Certificate.exe	35
PID 2428 wrote to memory of 2664	2428	GST Certificate.exe	35
PID 2428 wrote to memory of 2664	2428	GST Certificate.exe	35
PID 2428 wrote to memory of 2664	2428	GST Certificate.exe	35
PID 2428 wrote to memory of 2664	2428	GST Certificate.exe	35
PID 2664 wrote to memory of 2840	2664	cmd.exe	37
PID 2664 wrote to memory of 2840	2664	cmd.exe	37
PID 2664 wrote to memory of 2840	2664	cmd.exe	37
PID 2664 wrote to memory of 2840	2664	cmd.exe	37
PID 2664 wrote to memory of 2452	2664	cmd.exe	38
PID 2664 wrote to memory of 2452	2664	cmd.exe	38
PID 2664 wrote to memory of 2452	2664	cmd.exe	38
PID 2664 wrote to memory of 2452	2664	cmd.exe	38
PID 2452 wrote to memory of 592	2452	remcos.exe	39
PID 2452 wrote to memory of 592	2452	remcos.exe	39
PID 2452 wrote to memory of 592	2452	remcos.exe	39
PID 2452 wrote to memory of 592	2452	remcos.exe	39
PID 2452 wrote to memory of 588	2452	remcos.exe	41
PID 2452 wrote to memory of 588	2452	remcos.exe	41
PID 2452 wrote to memory of 588	2452	remcos.exe	41
PID 2452 wrote to memory of 588	2452	remcos.exe	41
PID 2452 wrote to memory of 1312	2452	remcos.exe	42
PID 2452 wrote to memory of 1312	2452	remcos.exe	42
PID 2452 wrote to memory of 1312	2452	remcos.exe	42
PID 2452 wrote to memory of 1312	2452	remcos.exe	42
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45
PID 2452 wrote to memory of 1828	2452	remcos.exe	45

C:\Users\Admin\AppData\Local\Temp\GST Certificate.exe
"C:\Users\Admin\AppData\Local\Temp\GST Certificate.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GST Certificate.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FxeJGDxcWPISK.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FxeJGDxcWPISK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp736B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\GST Certificate.exe
  "C:\Users\Admin\AppData\Local\Temp\GST Certificate.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2840
  - - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
      "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FxeJGDxcWPISK.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FxeJGDxcWPISK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpABF8.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1312
    - - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
99B

MD5
76c1687d97dfdbcea62ef1490bec5001

SHA1
5f4d1aeafa7d840cde67b76f97416dd68efd1bed

SHA256
79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

SHA512
da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp736B.tmp

Filesize
1KB

MD5
2c9f8940037fab31bfeaab55956f5477

SHA1
46a415ef76658955554298862051e03442fda737

SHA256
c214d0d083a3386ce815f0677fb6012a03af7549e983d4b2b2f725027bc32fca

SHA512
8c056fd8060622c218e21d4f3396900fdaa3d8e1cc185bca14f4de97f68911845478b0c45a85295d28cadba0341157a9c64a3340f62f8bdec1a4cffc2a14b882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PF8VSGSE788NSK1T2UGN.temp

Filesize
7KB

MD5
c300338df47d2e0480e19b74b73f5325

SHA1
5b93354b438a782d4cce9470aab5c7c6290e4ecb

SHA256
24fda01120a73074a1ab2729575e3e4c3390fa854f027b5d24c1376f7b2fd44e

SHA512
b3c48ef8a6daa94ef19bc0d343824cfd715f229f614525130da87601ef250cfece10a27cf73714fa5737550d90abac83713b18756a515056b8f6f1ba9347ad1a

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Filesize
624KB

MD5
dbf4b372a3908f1474045ee2ebd99688

SHA1
551ac7acf871beb4eed8218628c7d79e72cd1487

SHA256
febaf2e4a4f46a0d9cde131025f1ef3106dbf8589a0af7758d3893f9b602f2a8

SHA512
2f546b3c5ba52d891bf7ddd3586bd446c4dd608667a83ce81a551da70420facb474b3d3ff9303e7c184f5731318db5758bd0ad8639ad4eb6ca0f7c44dafe1633

Download Submit
memory/588-94-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download
memory/588-99-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download
memory/588-95-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download
memory/588-96-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/592-91-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/592-98-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download
memory/592-84-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download
memory/592-85-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/592-89-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download
memory/592-93-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1828-114-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-116-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-100-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-97-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-112-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-117-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-108-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-86-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-109-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1828-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-43-0x0000000000401000-0x0000000000410000-memory.dmp

Filesize
60KB

Download
memory/2452-56-0x0000000071D20000-0x000000007240E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-87-0x0000000071D20000-0x000000007240E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-58-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2452-57-0x0000000000CA0000-0x0000000000D40000-memory.dmp

Filesize
640KB

Download
memory/2616-44-0x000000006E210000-0x000000006E7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-46-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/2616-51-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/2616-49-0x000000006E210000-0x000000006E7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-60-0x000000006E210000-0x000000006E7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-52-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/2644-45-0x000000006E210000-0x000000006E7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-50-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/2644-48-0x000000006E210000-0x000000006E7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-59-0x000000006E210000-0x000000006E7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-33-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2872-0-0x0000000000350000-0x00000000003F0000-memory.dmp

Filesize
640KB

Download
memory/2872-6-0x0000000004610000-0x0000000004670000-memory.dmp

Filesize
384KB

Download
memory/2872-5-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2872-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2872-3-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2872-2-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2872-1-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download