remcos | 33cc55fef11d691d7728275b1e7dfc61520cef61bb0035de7dfb8e648f086f50

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GST e-Payment.NET.CMS4006900371.exe
Size

610KB
MD5

a83c7c19a689b683942bf29ebcc82e07
SHA1

535cdf86f5c064932fea71d169ba1c9e3acf4886
SHA256

33cc55fef11d691d7728275b1e7dfc61520cef61bb0035de7dfb8e648f086f50
SHA512

58cf11e78fcd01715e1ce9b0877b601d56f95681bc82986e0d7fc6d58a8a9169e28fa46a134bed1000672bd52fe7b2c291fff4bb3fe540d18ec240204bad1881
SSDEEP

12288:y0pei36RatdHmBK2h+RrUm1jkHui7jkNAMo6WDNGn7cX0O2eEAmD:Vpp36stJqDwRrp6Z7P6uGn4kO2e

Score

10^/10

remcos banksy execution rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

banksy

62.102.148.166:3319

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
egsy
keylog_path
%AppData%
mouse_option
false
mutex
remcos_rpklfmytvo
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1288 powershell.exe
4692 powershell.exe

pid	process
1288	powershell.exe
4692	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GST e-Payment.NET.CMS4006900371.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GST e-Payment.NET.CMS4006900371.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exe

description pid process target process

PID 1396 set thread context of 2772 1396 GST e-Payment.NET.CMS4006900371.exe GST e-Payment.NET.CMS4006900371.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2308 schtasks.exe

description	pid	process	target process
PID 1396 set thread context of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe

pid	process
2308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exepowershell.exepowershell.exe

pid	process
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1288	powershell.exe
4692	powershell.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1396	GST e-Payment.NET.CMS4006900371.exe
1288	powershell.exe
4692	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1396	GST e-Payment.NET.CMS4006900371.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exe

pid process

2772 GST e-Payment.NET.CMS4006900371.exe

pid	process
2772	GST e-Payment.NET.CMS4006900371.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

GST e-Payment.NET.CMS4006900371.exe

C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe
"C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SlFGRFDB.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SlFGRFDB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF201.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe
  "C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe"
  2⤵
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe
  "C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe"
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe
  "C:\Users\Admin\AppData\Local\Temp\GST e-Payment.NET.CMS4006900371.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
738b04a72ca16abe227581d0544384b5

SHA1
d8cc79ba2df97136a5da20f6f78ed74ef7251d78

SHA256
c710f0573a1a8a1e6917fd2c0fb56d5f38dde74032e1498b0918558956b90bda

SHA512
3f379ae308562f663bad535fc9cb55f43bde397e825925abd74089696108057ad8275d728c55b61040ba091601a9ead86f37f8beed3ca35ffdb8e06c25efda10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txbrl44a.xxq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF201.tmp

Filesize
1KB

MD5
ee6aa30803f7a714e18120a10e1d2284

SHA1
5d5bae173db2eb4e657d7a35f2fab976b65f502c

SHA256
7ad87ae5a584d95c6c7860a92ac38dd6d4e7c8c8ca3de775049cc55c4f83149b

SHA512
b2d4cf9b9fac8b7e6e9b82dcd1c82e1fd188677bcb2d81446cf3cc63889e9484ea275e869e2f3bbe46d22b1bfc6a1c4b8470af9b0f45240dbd95678b058f24ea

Download Submit
memory/1288-19-0x0000000004F60000-0x0000000005588000-memory.dmp

Filesize
6.2MB

Download
memory/1288-36-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/1288-23-0x0000000004E40000-0x0000000004E62000-memory.dmp

Filesize
136KB

Download
memory/1288-55-0x0000000006220000-0x000000000626C000-memory.dmp

Filesize
304KB

Download
memory/1288-98-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1288-53-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/1288-82-0x0000000007640000-0x0000000007CBA000-memory.dmp

Filesize
6.5MB

Download
memory/1288-30-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/1288-71-0x00000000750C0000-0x000000007510C000-memory.dmp

Filesize
304KB

Download
memory/1288-17-0x00000000023D0000-0x0000000002406000-memory.dmp

Filesize
216KB

Download
memory/1288-18-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1288-83-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/1288-20-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1288-85-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/1288-88-0x0000000007240000-0x0000000007254000-memory.dmp

Filesize
80KB

Download
memory/1288-31-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/1396-12-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1396-2-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/1396-1-0x0000000000FF0000-0x000000000108E000-memory.dmp

Filesize
632KB

Download
memory/1396-4-0x0000000005A90000-0x0000000005A9A000-memory.dmp

Filesize
40KB

Download
memory/1396-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/1396-11-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/1396-3-0x0000000005AB0000-0x0000000005B42000-memory.dmp

Filesize
584KB

Download
memory/1396-10-0x000000000BA10000-0x000000000BAAC000-memory.dmp

Filesize
624KB

Download
memory/1396-9-0x0000000006F30000-0x0000000006F8E000-memory.dmp

Filesize
376KB

Download
memory/1396-54-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1396-7-0x0000000005F00000-0x0000000005F0C000-memory.dmp

Filesize
48KB

Download
memory/1396-6-0x0000000005EA0000-0x0000000005EC2000-memory.dmp

Filesize
136KB

Download
memory/1396-5-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1396-8-0x0000000003470000-0x0000000003480000-memory.dmp

Filesize
64KB

Download
memory/2772-108-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-104-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-109-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-50-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-107-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-106-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-105-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-102-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-100-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-99-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-87-0x0000000007490000-0x000000000749E000-memory.dmp

Filesize
56KB

Download
memory/4692-22-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-37-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-90-0x0000000007580000-0x0000000007588000-memory.dmp

Filesize
32KB

Download
memory/4692-89-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/4692-70-0x0000000006F10000-0x0000000006F2E000-memory.dmp

Filesize
120KB

Download
memory/4692-97-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-86-0x0000000007460000-0x0000000007471000-memory.dmp

Filesize
68KB

Download
memory/4692-84-0x00000000072D0000-0x00000000072DA000-memory.dmp

Filesize
40KB

Download
memory/4692-24-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-59-0x0000000006ED0000-0x0000000006F02000-memory.dmp

Filesize
200KB

Download
memory/4692-60-0x00000000750C0000-0x000000007510C000-memory.dmp

Filesize
304KB

Download
memory/4692-72-0x0000000006F30000-0x0000000006FD3000-memory.dmp

Filesize
652KB

Download

description	pid	process	target process
PID 1396 wrote to memory of 1288	1396	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1396 wrote to memory of 1288	1396	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1396 wrote to memory of 1288	1396	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1396 wrote to memory of 4692	1396	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1396 wrote to memory of 4692	1396	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1396 wrote to memory of 4692	1396	GST e-Payment.NET.CMS4006900371.exe	powershell.exe
PID 1396 wrote to memory of 2308	1396	GST e-Payment.NET.CMS4006900371.exe	schtasks.exe
PID 1396 wrote to memory of 2308	1396	GST e-Payment.NET.CMS4006900371.exe	schtasks.exe
PID 1396 wrote to memory of 2308	1396	GST e-Payment.NET.CMS4006900371.exe	schtasks.exe
PID 1396 wrote to memory of 2240	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2240	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2240	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 1164	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 1164	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 1164	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe
PID 1396 wrote to memory of 2772	1396	GST e-Payment.NET.CMS4006900371.exe	GST e-Payment.NET.CMS4006900371.exe