remcos | 33cc55fef11d691d7728275b1e7dfc61520cef61bb0035de7dfb8e648f086f50

General

Target

GST e-Payment.NET.CMS4006900371.exe
Size

610KB
MD5

a83c7c19a689b683942bf29ebcc82e07
SHA1

535cdf86f5c064932fea71d169ba1c9e3acf4886
SHA256

33cc55fef11d691d7728275b1e7dfc61520cef61bb0035de7dfb8e648f086f50
SHA512

58cf11e78fcd01715e1ce9b0877b601d56f95681bc82986e0d7fc6d58a8a9169e28fa46a134bed1000672bd52fe7b2c291fff4bb3fe540d18ec240204bad1881
SSDEEP

12288:y0pei36RatdHmBK2h+RrUm1jkHui7jkNAMo6WDNGn7cX0O2eEAmD:Vpp36stJqDwRrp6Z7P6uGn4kO2e

Score

10^/10

remcos banksy execution rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

banksy

C2

62.102.148.166:3319

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
egsy
keylog_path
%AppData%
mouse_option
false
mutex
remcos_rpklfmytvo
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2588 powershell.exe
2940 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exe

description pid process target process

PID 1700 set thread context of 2428 1700 GST e-Payment.NET.CMS4006900371.exe GST e-Payment.NET.CMS4006900371.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2480 schtasks.exe

pid	process
2588	powershell.exe
2940	powershell.exe

description	pid	process	target process
PID 1700 set thread context of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe

pid	process
2480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exepowershell.exepowershell.exe

pid	process
1700	GST e-Payment.NET.CMS4006900371.exe
1700	GST e-Payment.NET.CMS4006900371.exe
1700	GST e-Payment.NET.CMS4006900371.exe
1700	GST e-Payment.NET.CMS4006900371.exe
1700	GST e-Payment.NET.CMS4006900371.exe
1700	GST e-Payment.NET.CMS4006900371.exe
1700	GST e-Payment.NET.CMS4006900371.exe
1700	GST e-Payment.NET.CMS4006900371.exe
1700	GST e-Payment.NET.CMS4006900371.exe
2940	powershell.exe
2588	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1700	GST e-Payment.NET.CMS4006900371.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exe

pid process

2428 GST e-Payment.NET.CMS4006900371.exe

pid	process
2428	GST e-Payment.NET.CMS4006900371.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exe

description	pid	process	target process
PID 1700 wrote to memory of 2588	1700	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1700 wrote to memory of 2588	1700	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1700 wrote to memory of 2588	1700	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1700 wrote to memory of 2588	1700	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1700 wrote to memory of 2940	1700	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1700 wrote to memory of 2940	1700	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1700 wrote to memory of 2940	1700	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1700 wrote to memory of 2940	1700	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1700 wrote to memory of 2480	1700	GST e-Payment.NET.CMS4006900371.exe	schtasks.exe
PID 1700 wrote to memory of 2480	1700	GST e-Payment.NET.CMS4006900371.exe	schtasks.exe
PID 1700 wrote to memory of 2480	1700	GST e-Payment.NET.CMS4006900371.exe	schtasks.exe
PID 1700 wrote to memory of 2480	1700	GST e-Payment.NET.CMS4006900371.exe	schtasks.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1700 wrote to memory of 2428	1700	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe

C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe
"C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SlFGRFDB.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SlFGRFDB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe
  "C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp

Filesize
1KB

MD5
e8b3c5e79255ac45a9ce440bb0e9c124

SHA1
800a6c65eee88282ccc64356364e7c3f2e39b31b

SHA256
73e7578f6db2242f4bd95d837937d9efc4e426c56d4edd12abc55107d71f7fbb

SHA512
a1cf43319289066ab5bb53f07ed4cf4c77ba7ea5190ea99081137b0284789b9eb2b7a21c99cc7c147c55733bce5d1cd35a210806be52193c08254efa5263fab3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XSCWNBZEUWVW98TR3JE0.temp

Filesize
7KB

MD5
a3e6aa54cce71f92a3957a7a05fd7661

SHA1
298c29b813c232e965b2408e334e79edcbeb6c44

SHA256
9ba7a82b49617ef6ba5d20f83cff6aeae8629d2e063128afb32052fd86884db3

SHA512
7131bb9ba3faad5a87a12dd5f647fbd7b28f1bd6c0dfe77c5bd170afd8ef2d25c7ae7e56d7efb2e4cdcc047f38a931fca9917ff84d8ec3a7720776d606f44a55

Download Submit
memory/1700-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/1700-1-0x0000000000CC0000-0x0000000000D5E000-memory.dmp

Filesize
632KB

Download
memory/1700-2-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-3-0x0000000000560000-0x0000000000582000-memory.dmp

Filesize
136KB

Download
memory/1700-4-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1700-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/1700-6-0x0000000004AC0000-0x0000000004B1E000-memory.dmp

Filesize
376KB

Download
memory/1700-7-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/1700-8-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-37-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-34-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-38-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-49-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads