remcos | eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0

General

Target

GUGHE3EDED RFQ.exe
Size

1.0MB
MD5

f64148b83fa4fc1bfa7b09c0e9736fe9
SHA1

0e53f205122ae6adae8dce0fe711663318ec97b5
SHA256

eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0
SHA512

2a99eed471562a12dea53e13960acd33ea519f0d887315d83eef4f9a38e0742aaeeb6398a2c93b3db8ffff9db05bfa667018d27b7b80d3182080e9d96195e632
SSDEEP

24576:0E3olMBfwoq7CTurSI/IvFcW39FDTI8G/merMa:0E3ouZwoqzrdQviW3nXI8G/me

Score

10^/10

remcos champ execution rat

Malware Config

Extracted

Family

remcos

Botnet

CHAMP

C2

94.156.68.105:7256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-YE5X3X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2156	powershell.exe
2792	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2704	2220	GUGHE3EDED RFQ.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2220	GUGHE3EDED RFQ.exe
2220	GUGHE3EDED RFQ.exe
2792	powershell.exe
2156	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	GUGHE3EDED RFQ.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	GUGHE3EDED RFQ.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2156	2220	GUGHE3EDED RFQ.exe	28
PID 2220 wrote to memory of 2156	2220	GUGHE3EDED RFQ.exe	28
PID 2220 wrote to memory of 2156	2220	GUGHE3EDED RFQ.exe	28
PID 2220 wrote to memory of 2156	2220	GUGHE3EDED RFQ.exe	28
PID 2220 wrote to memory of 2792	2220	GUGHE3EDED RFQ.exe	30
PID 2220 wrote to memory of 2792	2220	GUGHE3EDED RFQ.exe	30
PID 2220 wrote to memory of 2792	2220	GUGHE3EDED RFQ.exe	30
PID 2220 wrote to memory of 2792	2220	GUGHE3EDED RFQ.exe	30
PID 2220 wrote to memory of 2804	2220	GUGHE3EDED RFQ.exe	31
PID 2220 wrote to memory of 2804	2220	GUGHE3EDED RFQ.exe	31
PID 2220 wrote to memory of 2804	2220	GUGHE3EDED RFQ.exe	31
PID 2220 wrote to memory of 2804	2220	GUGHE3EDED RFQ.exe	31
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34
PID 2220 wrote to memory of 2704	2220	GUGHE3EDED RFQ.exe	34

C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ptUCmVAREPXk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ptUCmVAREPXk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31AB.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe
  "C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0b16331fb1104a60cd706dc09fe92a74

SHA1
e516afb44512ad0ba2ba0187c814c074d83e425b

SHA256
569abc4fb6f6dfbec49092b58995650a031e68c4616812a807f3ac7fff9f962a

SHA512
8b845ef854eeda6c1a338d75583085f1aff26519339d5c37fe0fddd2ddae5c2180c5dc6459cc8f4f4bb4d60b45fa1f9b3d8234179f99ca60c242794503628ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31AB.tmp

Filesize
1KB

MD5
d81d8279f807a6673402eab820d7648c

SHA1
87c17cdc900d83daccda881d272cf3e6e103c1d1

SHA256
f5ebe25d97d388bb366c6ec6ecebda094c9c0cbb2902078a588e8bbc205492a1

SHA512
4c36790ec94456a12707bee6b403cec39ee3834fa17056f7953377dae550f9107049fbc06dc5bca8681d36d4cd9915ef7d760baa835fc617bed61536f5910f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6YUQ92RRBXL92ZGRX9AY.temp

Filesize
7KB

MD5
b2bf8a03876e40371a69443a8d109f89

SHA1
5076b075236a8843a30135d7d6e47cc96c959a2a

SHA256
e1b9487fa61d05e232ce95ec7e843ef5f675d9f1c6227bba8242105af68885f7

SHA512
48721ebadf338063752788555ce88ae537b63d87a6af5bcc7d7d3e9c81f57e3df76866d09fa6126f0168df3ad71110a82b1cd7096bb539c0ca448a33cd9afc1a

Download Submit
memory/2220-0-0x00000000741CE000-0x00000000741CF000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x00000000011A0000-0x00000000012AA000-memory.dmp

Filesize
1.0MB

Download
memory/2220-2-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-3-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2220-4-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2220-5-0x0000000005BA0000-0x0000000005C60000-memory.dmp

Filesize
768KB

Download
memory/2220-39-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads