remcos | 40a32c20b9e9576ce7f8d4342ad24b9f9aa0805bdc43aa781bc3b2626287d740

General

Target

EBUaVgIGyhAIdkk.exe
Size

985KB
MD5

f5b954f0119303d3d0ef657666b75cb3
SHA1

dbf749bf18d503c440a681863b6c84a80083de62
SHA256

40a32c20b9e9576ce7f8d4342ad24b9f9aa0805bdc43aa781bc3b2626287d740
SHA512

d7c140fb74a87670109ed116be731d9820978d322c69b85fb11c75455049fb975e9955ba2b5d549fbf1c077e3352fb7fb16190b3b1d3bc76de26f1727ededef3
SSDEEP

24576:TSYMFniyyZ6Pqc2Duhz/s8dTGMjqLpHr:pMFnyZ82DuhzfCHdHr

Score

10^/10

remcos remotehost execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

alibabaforwader10.ddns.net:60247

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AC7NKA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2560 powershell.exe
2712 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

EBUaVgIGyhAIdkk.exe

description pid process target process

PID 2984 set thread context of 2452 2984 EBUaVgIGyhAIdkk.exe EBUaVgIGyhAIdkk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2720 schtasks.exe

pid	process
2560	powershell.exe
2712	powershell.exe

description	pid	process	target process
PID 2984 set thread context of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe

pid	process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

EBUaVgIGyhAIdkk.exepowershell.exepowershell.exe

pid	process
2984	EBUaVgIGyhAIdkk.exe
2984	EBUaVgIGyhAIdkk.exe
2984	EBUaVgIGyhAIdkk.exe
2984	EBUaVgIGyhAIdkk.exe
2984	EBUaVgIGyhAIdkk.exe
2984	EBUaVgIGyhAIdkk.exe
2984	EBUaVgIGyhAIdkk.exe
2712	powershell.exe
2560	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EBUaVgIGyhAIdkk.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2984	EBUaVgIGyhAIdkk.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EBUaVgIGyhAIdkk.exe

pid process

2452 EBUaVgIGyhAIdkk.exe

pid	process
2452	EBUaVgIGyhAIdkk.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EBUaVgIGyhAIdkk.exe

description	pid	process	target process
PID 2984 wrote to memory of 2712	2984	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 2984 wrote to memory of 2712	2984	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 2984 wrote to memory of 2712	2984	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 2984 wrote to memory of 2712	2984	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 2984 wrote to memory of 2560	2984	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 2984 wrote to memory of 2560	2984	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 2984 wrote to memory of 2560	2984	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 2984 wrote to memory of 2560	2984	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 2984 wrote to memory of 2720	2984	EBUaVgIGyhAIdkk.exe	schtasks.exe
PID 2984 wrote to memory of 2720	2984	EBUaVgIGyhAIdkk.exe	schtasks.exe
PID 2984 wrote to memory of 2720	2984	EBUaVgIGyhAIdkk.exe	schtasks.exe
PID 2984 wrote to memory of 2720	2984	EBUaVgIGyhAIdkk.exe	schtasks.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 2984 wrote to memory of 2452	2984	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe

C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe
"C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YbOWhnO.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YbOWhnO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp601A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe
  "C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
e4698cc1e5c7749e7b140ed5c6c5ef6d

SHA1
61edc7f97867a02d85894d4e35fdf5e4579ebf29

SHA256
c2ceff32566d4334ec275d1be5ea7bdda9193b27ba38807cf4ab3a2cc543d7a3

SHA512
e812481983ab984ef752f5aeb2896f7c8c4cb7e6a797731d49e293bd0df79a1d65360deee90146c2d82b21359c6712e6c1db3f4c8cbe7cce0c1c33e9b8c67eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp601A.tmp

Filesize
1KB

MD5
a99ba814bb26f9714df1a9ad5b605316

SHA1
5bf973e5d03397f92ac6d871c71830ededc6671b

SHA256
5af89df4fe283dae5f2e0aadf199d614804ebaff7b0ca465afa2a61ec13205dc

SHA512
5bee89002162adfb7cdde8992d9caecf6fc2455fff2addabf14b5a0610af01d8b261a30e940b9413380310ebe0885e331fb9ee9fb6bf2bb44f9c4f91cb7dcef6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
45dddf4f2a6f6d75a864c3420e2ebae6

SHA1
574a638c4f8a6a011489310a2d4c45ca5d05e930

SHA256
36c5f70a35fdcdbb35d06a1bdd2a3deca5182a5cb0e31a084e2518c7420016fb

SHA512
85f345574729d06e61849dffb078faaa2796c7a6209d3713fde68c62388b42daea63a4cfe6c30997f96dcb451bbadcd39a019d88113dc9de24faffb9c8925ea1

Download Submit
memory/2452-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2984-1-0x0000000000280000-0x000000000037C000-memory.dmp

Filesize
1008KB

Download
memory/2984-43-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-4-0x0000000001F90000-0x0000000001FA0000-memory.dmp

Filesize
64KB

Download
memory/2984-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2984-2-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-3-0x0000000000690000-0x00000000006B0000-memory.dmp

Filesize
128KB

Download
memory/2984-6-0x0000000005150000-0x0000000005210000-memory.dmp

Filesize
768KB

Download
memory/2984-5-0x0000000001FA0000-0x0000000001FB6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads