remcos | ad93cb8f2caa9818241e8b1aec88b592fb02f1767b110d08b3864c59a468b43f

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe
Size

1.1MB
MD5

4ef725e78d41b96d40ad546b5d92efe9
SHA1

b8ee90718310eeab41306d79df5f1cc8b02f7f5b
SHA256

95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190
SHA512

20bccba9827758fdd077c0e2d6051a6537ac57ddb80265b16fe410c12639470d1c96ca6cec2cc2941793e628b7e5ae47320ace91e92ddb7a6550026840a1e20e
SSDEEP

24576:b6G5oq6WlY5EQJbBCt598PkfzGwWPEXyqQ:bPQrJChIP1q

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

104.194.152.154:3678

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MI0D28
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Blmpvfff = "C:\\Users\\Public\\Blmpvfff.url"	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe

pid	process
3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe
3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe

description	pid	process	target process
PID 3444 wrote to memory of 4948	3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe	extrac32.exe
PID 3444 wrote to memory of 4948	3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe	extrac32.exe
PID 3444 wrote to memory of 4948	3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe	extrac32.exe
PID 3444 wrote to memory of 1968	3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe	colorcpl.exe
PID 3444 wrote to memory of 1968	3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe	colorcpl.exe
PID 3444 wrote to memory of 1968	3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe	colorcpl.exe
PID 3444 wrote to memory of 1968	3444	95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe	colorcpl.exe

C:\Users\Admin\AppData\Local\Temp\95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe
"C:\Users\Admin\AppData\Local\Temp\95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\95311fc0f7c080fc57155842d9f00c404813f27744c9142dfb785d0bcd410190.exe C:\\Users\\Public\\Libraries\\Blmpvfff.PIF
  2⤵
  PID:4948
- C:\Windows\SysWOW64\colorcpl.exe
  C:\Windows\System32\colorcpl.exe
  2⤵
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
146B

MD5
67e54a9164f3f33f37f6727a6244e816

SHA1
b7f3a7411bcd6346acfca1ea144b8ecae46886e4

SHA256
23a0ae3fd1a9e87bf13ab9778f86458dadfc3f00a0ea8fe05ea3c9a5399ce57d

SHA512
1a904dcf201899bfd3b22afa14eb4cf919b501671f84d8f0da2bc989468257f80a43a98be1446d6262c982c0d097e80461b93f499b96ea2cac443e4954a67288

Download Submit
memory/1968-9-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-13-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-6-0x0000000004620000-0x0000000005620000-memory.dmp

Filesize
16.0MB

Download
memory/1968-12-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-10-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-7-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-15-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-16-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-18-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-19-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-21-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-22-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-24-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-25-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-27-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-28-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-29-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-31-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-32-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-34-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-35-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-36-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-38-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-39-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-41-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-42-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-44-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-45-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-47-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-48-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-50-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-51-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-52-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-54-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-55-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-56-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-58-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-59-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-61-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-62-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-64-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-65-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-67-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-68-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-71-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-72-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-74-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-75-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-77-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-78-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-80-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-81-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-83-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-84-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-87-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-88-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-90-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-91-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-93-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-94-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/1968-95-0x000000001C320000-0x000000001C3A2000-memory.dmp

Filesize
520KB

Download
memory/3444-0-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3444-5-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download