remcos | 40a32c20b9e9576ce7f8d4342ad24b9f9aa0805bdc43aa781bc3b2626287d740

General

Target

EBUaVgIGyhAIdkk.exe
Size

985KB
MD5

f5b954f0119303d3d0ef657666b75cb3
SHA1

dbf749bf18d503c440a681863b6c84a80083de62
SHA256

40a32c20b9e9576ce7f8d4342ad24b9f9aa0805bdc43aa781bc3b2626287d740
SHA512

d7c140fb74a87670109ed116be731d9820978d322c69b85fb11c75455049fb975e9955ba2b5d549fbf1c077e3352fb7fb16190b3b1d3bc76de26f1727ededef3
SSDEEP

24576:TSYMFniyyZ6Pqc2Duhz/s8dTGMjqLpHr:pMFnyZ82DuhzfCHdHr

Score

10^/10

remcos remotehost execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

alibabaforwader10.ddns.net:60247

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AC7NKA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2632 powershell.exe
2740 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

EBUaVgIGyhAIdkk.exe

description pid process target process

PID 1964 set thread context of 2404 1964 EBUaVgIGyhAIdkk.exe EBUaVgIGyhAIdkk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2676 schtasks.exe

pid	process
2632	powershell.exe
2740	powershell.exe

description	pid	process	target process
PID 1964 set thread context of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe

pid	process
2676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

EBUaVgIGyhAIdkk.exepowershell.exepowershell.exe

pid	process
1964	EBUaVgIGyhAIdkk.exe
1964	EBUaVgIGyhAIdkk.exe
1964	EBUaVgIGyhAIdkk.exe
1964	EBUaVgIGyhAIdkk.exe
1964	EBUaVgIGyhAIdkk.exe
1964	EBUaVgIGyhAIdkk.exe
1964	EBUaVgIGyhAIdkk.exe
2632	powershell.exe
2740	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EBUaVgIGyhAIdkk.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1964	EBUaVgIGyhAIdkk.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EBUaVgIGyhAIdkk.exe

pid process

2404 EBUaVgIGyhAIdkk.exe

pid	process
2404	EBUaVgIGyhAIdkk.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EBUaVgIGyhAIdkk.exe

description	pid	process	target process
PID 1964 wrote to memory of 2632	1964	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 1964 wrote to memory of 2632	1964	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 1964 wrote to memory of 2632	1964	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 1964 wrote to memory of 2632	1964	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 1964 wrote to memory of 2740	1964	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 1964 wrote to memory of 2740	1964	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 1964 wrote to memory of 2740	1964	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 1964 wrote to memory of 2740	1964	EBUaVgIGyhAIdkk.exe	powershell.exe
PID 1964 wrote to memory of 2676	1964	EBUaVgIGyhAIdkk.exe	schtasks.exe
PID 1964 wrote to memory of 2676	1964	EBUaVgIGyhAIdkk.exe	schtasks.exe
PID 1964 wrote to memory of 2676	1964	EBUaVgIGyhAIdkk.exe	schtasks.exe
PID 1964 wrote to memory of 2676	1964	EBUaVgIGyhAIdkk.exe	schtasks.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe
PID 1964 wrote to memory of 2404	1964	EBUaVgIGyhAIdkk.exe	EBUaVgIGyhAIdkk.exe

C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe
"C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YbOWhnO.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YbOWhnO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A28.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe
  "C:\Users\Admin\AppData\Local\Temp\EBUaVgIGyhAIdkk.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
26a60d6b494d61d8cdd66554ed8ec4ba

SHA1
8b682a9bf1e0679b2223a65cff5b802b7c247366

SHA256
3ab406a9d4304bcb80537e721ec331ff42e8a83a35fdf3b0e80ee949f0c772a6

SHA512
fb6b7a4f46235c6a97b0829a5d95376ebad3c52cc8940413b23bfb5e6729ae3218264435f3c1c365faf9e97d315a5e4a605798122e07092687d527443b5e3026

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A28.tmp

Filesize
1KB

MD5
3c9eeeedf7cc76c226981dcf24d266d8

SHA1
54ee1589be3b9928c99fbc255a4795c48a61c2e3

SHA256
640a913683e29e1c8205e758354dd6a98a3def8197612d898beab2118c22e9c7

SHA512
781c20eacde7dd78a221b561c0be4a98804c3b19e3b5c572e8d18cb21c52b0bb5aa5e76a716edbcc31a65e4cae7a57536380c260b13504432e433a42cc73b424

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MJ5ODU76PAKX1SBUAP02.temp

Filesize
7KB

MD5
88a14fb6b9abcb27fd17f91338910620

SHA1
b3d099a60ad3e9bbd1a2151b5506cbfb979cd5db

SHA256
86c5ba813e6c7e83f302cb354760ea938ccfa22f86b31c9bd1e824ac9d99a669

SHA512
c11fab0917dae3317a93b9e23bf821255aceacab1fa15cf6f55dac94f2fb20b5222edbac16d82c7a6c38a037ecf38395e93189ae94d59363c3a8696f0a984aa8

Download Submit
memory/1964-42-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x0000000000E60000-0x0000000000F5C000-memory.dmp

Filesize
1008KB

Download
memory/1964-2-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1964-3-0x0000000000710000-0x0000000000730000-memory.dmp

Filesize
128KB

Download
memory/1964-4-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/1964-5-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/1964-6-0x0000000005D70000-0x0000000005E30000-memory.dmp

Filesize
768KB

Download
memory/1964-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/1964-44-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2404-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2404-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2404-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads