remcos | 03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rem.exe
Size

483KB
MD5

06f5b8dffc6c138828adbc7f29cfc7f0
SHA1

b59ef5d613a1e49c7034c3ee05780ce054ca0054
SHA256

03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
SHA512

e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893
SSDEEP

6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNx5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDIcv

Score

10^/10

remcos remote persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Remote

leetboy.dynuddns.net:1998

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
svcs.exe
copy_folder
microsofts
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
logsa
mouse_option
false
mutex
Rmc-3XK1S0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

svcs.exe

pid process

2784 svcs.exe
Loads dropped DLL 2 IoCs

Processes:

rem.exe

pid process

2892 rem.exe
2892 rem.exe

pid	process
2784	svcs.exe

pid	process
2892	rem.exe
2892	rem.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rem.exesvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\""	rem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\""	rem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\""	svcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsofts\\svcs.exe\""	svcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svcs.exe

pid process

2784 svcs.exe

pid	process
2784	svcs.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

rem.exe

description	pid	process	target process
PID 2892 wrote to memory of 2784	2892	rem.exe	svcs.exe
PID 2892 wrote to memory of 2784	2892	rem.exe	svcs.exe
PID 2892 wrote to memory of 2784	2892	rem.exe	svcs.exe
PID 2892 wrote to memory of 2784	2892	rem.exe	svcs.exe

C:\Users\Admin\AppData\Local\Temp\rem.exe
"C:\Users\Admin\AppData\Local\Temp\rem.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe
"C:\Users\Admin\AppData\Roaming\microsofts\svcs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\logsa\logs.dat
Filesize
144B

MD5
9b6bb8672ccccf485cb9c2130d391e82

SHA1
c12cb43917e108e8e737d8596f0c63efca5084a8

SHA256
798205593c8ff681f23f7ec879db5bdd70675757af838b119e603f06c27253ad

SHA512
0fd5ad992797b0f26992433e53f4a2f809afeeaf488a842c060cdc7f3fd638dfa895bba25dc2e6949da34cec4768f2a64ce5706b30e6c8d3871bd3375f9ef815

Download Submit
C:\ProgramData\logsa\logs.dat
Filesize
230B

MD5
8d1bce8a566b6a7c2e5b5d46e5d65259

SHA1
8fd21de8788a3b32bcf9e2bd726d623f2e065854

SHA256
f56921f80e6f97975fd3684878582343f247a62b09658cb785ca3ed5b327d449

SHA512
338439db3d2a54142178eb578e947aefdbbd0011583950000813612a886c4ff8b16aaffab14705bd0ec7183722d98cb223bbb9db75ad514513926bc390c667db

Download Submit
\Users\Admin\AppData\Roaming\microsofts\svcs.exe
Filesize
483KB

MD5
06f5b8dffc6c138828adbc7f29cfc7f0

SHA1
b59ef5d613a1e49c7034c3ee05780ce054ca0054

SHA256
03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7

SHA512
e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893

Download Submit