remcos | 9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee

Analysis

max time kernel
1798s
max time network
1778s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 15:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe
Size

863KB
MD5

dabe08d54fa304acf839f180c0ee1211
SHA1

34e9389367fffbf9edf77b4f973ff4f83bf14b87
SHA256

9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee
SHA512

61b26ac129410af9404e53bc575045ccbcc2fd6af16a5201f6cef47875d767c2511868edfa026f6374b86ec238ac4251263701c5a7a7ef50c3b4d8efda62b7c1
SSDEEP

24576:epLBj972/zHgaqgEa8R4ztaRGcNpVnNRCxhO5shG5qt:el0/qgz8R4z0RDNpVTN5it

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KDW6BI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
2620	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2440	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 528	2620	svchost.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2524	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2536	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1048	NETSTAT.EXE

Runs regedit.exe 1 IoCs

pid	Process
2352	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe
2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
528	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe
Token: SeDebugPrivilege	2620	svchost.exe
Token: SeDebugPrivilege	1048	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
528	iexplore.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2680	2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe	29
PID 2804 wrote to memory of 2680	2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe	29
PID 2804 wrote to memory of 2680	2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe	29
PID 2804 wrote to memory of 2440	2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe	31
PID 2804 wrote to memory of 2440	2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe	31
PID 2804 wrote to memory of 2440	2804	9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe	31
PID 2680 wrote to memory of 2524	2680	cmd.exe	33
PID 2680 wrote to memory of 2524	2680	cmd.exe	33
PID 2680 wrote to memory of 2524	2680	cmd.exe	33
PID 2440 wrote to memory of 2536	2440	cmd.exe	34
PID 2440 wrote to memory of 2536	2440	cmd.exe	34
PID 2440 wrote to memory of 2536	2440	cmd.exe	34
PID 2440 wrote to memory of 2620	2440	cmd.exe	35
PID 2440 wrote to memory of 2620	2440	cmd.exe	35
PID 2440 wrote to memory of 2620	2440	cmd.exe	35
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2660	2620	svchost.exe	37
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2352	2620	svchost.exe	38
PID 2620 wrote to memory of 2784	2620	svchost.exe	39
PID 2620 wrote to memory of 2784	2620	svchost.exe	39
PID 2620 wrote to memory of 2784	2620	svchost.exe	39
PID 2620 wrote to memory of 2784	2620	svchost.exe	39
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 528	2620	svchost.exe	40
PID 2620 wrote to memory of 324	2620	svchost.exe	41
PID 2620 wrote to memory of 324	2620	svchost.exe	41
PID 2620 wrote to memory of 324	2620	svchost.exe	41
PID 2620 wrote to memory of 324	2620	svchost.exe	41
PID 2644 wrote to memory of 1048	2644	cmd.exe	48
PID 2644 wrote to memory of 1048	2644	cmd.exe	48
PID 2644 wrote to memory of 1048	2644	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe
"C:\Users\Admin\AppData\Local\Temp\9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2524
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8BFA.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2536
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:2660
  - - C:\Windows\regedit.exe
      "C:\Windows\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      PID:2784
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:528
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:324

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\NETSTAT.EXE
  netstat
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
586B

MD5
93dbb9b8b87ddd1a25adf29fe36b8cea

SHA1
dc170783d7e038b3bcbceef8ef3584fff7fc37f9

SHA256
31eb45fda1ad34fa859bf31b18f58f336865b2346a9096ec58ec4a2815151065

SHA512
00d1fb18107920fd756abcaabefe6972432043e96980a5f61dec459acb31adf3e69a2522d0833cd63c650e6e5fcfceeec479e933131840ad7fe11649f1745902

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
594B

MD5
6bcdbf4ec0ae4cc73083916eb5620986

SHA1
cd3758070312ae02ae1ce020b44bcc76586d990e

SHA256
05f5aa1b606bbef68e79f981b98b423c22b2453f0b35ff85e687ea20d5e11601

SHA512
a867ad0ecb4c953bff42296721012b6c0652bc69687891e9673e237c81a5d06597aee493882bcd07d0a9abbe7f00b77d62827ec3d4c8748ecbf5ebb3a4ce22b0

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
770B

MD5
90c153d737392d57daf51130162002c0

SHA1
97d5b86f6e48a8aaa7f07926c94f0edfaea007ee

SHA256
7d9c5702be35f61575bc1ecaefb9bfff3dc312382884e4b23a64c39f26a24b26

SHA512
2203e34c438546da1ba1af0a2a4bcb1ab2cda49308487c1282acd5a05067a66c7b4ff83296a5ea3ae71b163f502ce8f5655741443e00cc66ecc203d099a32f62

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
906B

MD5
03c3d19a4542b86e1feb0eae7a977eef

SHA1
cd45b6bffb73110ae30d1b8e592a1049738bd326

SHA256
8077c19fd4b219fe0ab3620efb168f722012d0906e3abaad73b311d324db39c6

SHA512
bf588dd3e7fd0b4e8483a8a976e656e3857780cc3a60eac24d3cb167f5fd2ab35eecdd83880b2cd96b4bb16f808884f31e7369e704406d61eaa4c498efb53326

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
988B

MD5
24219de063b65fd8927206b613f948d6

SHA1
4902083c6547cc5e54cdbb052f9469b23604ecc4

SHA256
e8271629bb29f06f31dac92dd756f74fd853d1de4048ae14bbcf1ba5c625b95c

SHA512
65c45c79daf5b6b81d40c5225d0fa9747c6aee053f4bcb32fc5f2cfde930db26b696ae30df0bd65d712cf252151c499c4e60733c1607c12d7ca9d9fd51b03f6d

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
270B

MD5
b986a046962ec0b85b6a9cc5ba6da535

SHA1
941a451adad0f44b9924319be21ba303a18b7d9f

SHA256
651ad1dbc6ad82090760b8c1de54b0ead1bac0bdd82933cd37b7b0102cdcf25f

SHA512
cd7be16c96e43ec346ba7018acbe78cd195cf53501c2f2ed8c245100122100f3cb3a4d819f29b14586601e9752fd80257483d45fc28f3d85cfd73c8810ef2f61

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
426B

MD5
e13ab8f0c1fabf25a28d4c739dc3fff5

SHA1
42071c64268dac2832b97897b2101c60941378b5

SHA256
57abde18012e20ae33e670a41561ffbf4a0ef1c78767650254ce125a083744a2

SHA512
0ad47bebcf41fa405cc92cf3de232eda26e876b30d66f24610a7118fb1f3d968f2edc28d5b3ae56bca74a35e78e75d5eb8dd45f99ee3a5feb52d2254fc5b6980

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BFA.tmp.bat

Filesize
151B

MD5
3c7610d964a6131cdeb919788ff103f8

SHA1
52a57479b6e949ba9aa669b68d3b94064996dc61

SHA256
80180d28b11381fee5d2131f3b20e7c2122ca93b4397f99857195da83124a9c1

SHA512
282f36dee771e8f39fa0a5cc86db87b879449ecc29fb9d227161eb39d843d07684dc831fe090529a703570418c530cd297a627aed765557dbdb9ae8e83c1b602

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
863KB

MD5
dabe08d54fa304acf839f180c0ee1211

SHA1
34e9389367fffbf9edf77b4f973ff4f83bf14b87

SHA256
9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee

SHA512
61b26ac129410af9404e53bc575045ccbcc2fd6af16a5201f6cef47875d767c2511868edfa026f6374b86ec238ac4251263701c5a7a7ef50c3b4d8efda62b7c1

Download Submit
memory/528-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2620-18-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/2660-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2660-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2660-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2660-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2660-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2660-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2660-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2660-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2804-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

Filesize
4KB

Download
memory/2804-13-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-3-0x000000001B130000-0x000000001B204000-memory.dmp

Filesize
848KB

Download
memory/2804-2-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-1-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download