remcos | eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GUGHE3EDED RFQ.exe
Size

1.0MB
MD5

f64148b83fa4fc1bfa7b09c0e9736fe9
SHA1

0e53f205122ae6adae8dce0fe711663318ec97b5
SHA256

eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0
SHA512

2a99eed471562a12dea53e13960acd33ea519f0d887315d83eef4f9a38e0742aaeeb6398a2c93b3db8ffff9db05bfa667018d27b7b80d3182080e9d96195e632
SSDEEP

24576:0E3olMBfwoq7CTurSI/IvFcW39FDTI8G/merMa:0E3ouZwoqzrdQviW3nXI8G/me

Score

10^/10

remcos champ execution rat

Malware Config

Extracted

Family

remcos

Botnet

CHAMP

94.156.68.105:7256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-YE5X3X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1284	powershell.exe
2528	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	GUGHE3EDED RFQ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 4424	3448	GUGHE3EDED RFQ.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3448	GUGHE3EDED RFQ.exe
1284	powershell.exe
1284	powershell.exe
2528	powershell.exe
2528	powershell.exe
3448	GUGHE3EDED RFQ.exe
3448	GUGHE3EDED RFQ.exe
3448	GUGHE3EDED RFQ.exe
3448	GUGHE3EDED RFQ.exe
1284	powershell.exe
2528	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	GUGHE3EDED RFQ.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4424	GUGHE3EDED RFQ.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 1284	3448	GUGHE3EDED RFQ.exe	93
PID 3448 wrote to memory of 1284	3448	GUGHE3EDED RFQ.exe	93
PID 3448 wrote to memory of 1284	3448	GUGHE3EDED RFQ.exe	93
PID 3448 wrote to memory of 2528	3448	GUGHE3EDED RFQ.exe	95
PID 3448 wrote to memory of 2528	3448	GUGHE3EDED RFQ.exe	95
PID 3448 wrote to memory of 2528	3448	GUGHE3EDED RFQ.exe	95
PID 3448 wrote to memory of 4216	3448	GUGHE3EDED RFQ.exe	97
PID 3448 wrote to memory of 4216	3448	GUGHE3EDED RFQ.exe	97
PID 3448 wrote to memory of 4216	3448	GUGHE3EDED RFQ.exe	97
PID 3448 wrote to memory of 3852	3448	GUGHE3EDED RFQ.exe	99
PID 3448 wrote to memory of 3852	3448	GUGHE3EDED RFQ.exe	99
PID 3448 wrote to memory of 3852	3448	GUGHE3EDED RFQ.exe	99
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100
PID 3448 wrote to memory of 4424	3448	GUGHE3EDED RFQ.exe	100

C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ptUCmVAREPXk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ptUCmVAREPXk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6726.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe
  "C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe"
  2⤵
  PID:3852
- C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe
  "C:\Users\Admin\AppData\Local\Temp\GUGHE3EDED RFQ.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
d4654795673e1abb8da67d9be52b7ef8

SHA1
3bc9fcea844ac22f7d051250bf577c56e67cb3e2

SHA256
7a366584856fa2355cafa0d16c6c71f6cc707e40c71d15f941566a9fa641da4d

SHA512
18e9d3785b160d25419d68b5760d3db1af2eaefa6fe06f96b522de3eb288aad83146a13179879113049ad8d9e9f1285d9223fa9f318aa6c9ec0bae3751a5febd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d65af8c213715661a3718cd42fce92b9

SHA1
a4827c1b3409825a0d61be12f3159893ea18a9cb

SHA256
157eb29848cb6c90587d04075ea377f73b3d5adbaf4dd084da14154252e6f69e

SHA512
5ed1d993c96b53b41deb95fb8362bf9d9ca7d5797c7bd976b160f1985711895d45089b1818fd3c0a89d0bdffc6c17d4cfc2bf1d6f79f97c3d84d39191779fc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2hxgqea2.jwz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6726.tmp

Filesize
1KB

MD5
05e07ec7d4b17ccb4095cc5b568c099e

SHA1
fb330c71e5fca9d622ef7e7cb188ecb54fa524ef

SHA256
f130e88cb7a2141e92ffeaaa0bdcc482f2b63836c0c795a89c6066e4875b7c11

SHA512
9bd5b7b6023b910a72b83684cdee86fe64dc80a6ae42361be5c27e2ebc04befb917e95542fb21d85f9b448f1038341d1b60bad2ee8af7f37b67c47016957286d

Download Submit
memory/1284-90-0x0000000007950000-0x000000000795E000-memory.dmp

Filesize
56KB

Download
memory/1284-22-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/1284-100-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1284-93-0x0000000007A40000-0x0000000007A48000-memory.dmp

Filesize
32KB

Download
memory/1284-88-0x00000000079A0000-0x0000000007A36000-memory.dmp

Filesize
600KB

Download
memory/1284-75-0x000000006EFA0000-0x000000006EFEC000-memory.dmp

Filesize
304KB

Download
memory/1284-24-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/1284-16-0x0000000001350000-0x0000000001386000-memory.dmp

Filesize
216KB

Download
memory/1284-17-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1284-18-0x0000000005780000-0x0000000005DA8000-memory.dmp

Filesize
6.2MB

Download
memory/1284-19-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1284-20-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1284-23-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/2528-46-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-85-0x0000000007C40000-0x00000000082BA000-memory.dmp

Filesize
6.5MB

Download
memory/2528-99-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-31-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-92-0x0000000007930000-0x000000000794A000-memory.dmp

Filesize
104KB

Download
memory/2528-91-0x0000000007830000-0x0000000007844000-memory.dmp

Filesize
80KB

Download
memory/2528-89-0x00000000077F0000-0x0000000007801000-memory.dmp

Filesize
68KB

Download
memory/2528-86-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/2528-62-0x0000000007280000-0x00000000072B2000-memory.dmp

Filesize
200KB

Download
memory/2528-63-0x000000006EFA0000-0x000000006EFEC000-memory.dmp

Filesize
304KB

Download
memory/2528-73-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/2528-25-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-56-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/2528-55-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/2528-74-0x00000000074C0000-0x0000000007563000-memory.dmp

Filesize
652KB

Download
memory/2528-87-0x0000000007660000-0x000000000766A000-memory.dmp

Filesize
40KB

Download
memory/3448-4-0x0000000005850000-0x0000000005BA4000-memory.dmp

Filesize
3.3MB

Download
memory/3448-11-0x0000000007700000-0x00000000077C0000-memory.dmp

Filesize
768KB

Download
memory/3448-54-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3448-1-0x0000000000C70000-0x0000000000D7A000-memory.dmp

Filesize
1.0MB

Download
memory/3448-8-0x00000000064C0000-0x000000000655C000-memory.dmp

Filesize
624KB

Download
memory/3448-7-0x0000000006950000-0x0000000006E7C000-memory.dmp

Filesize
5.2MB

Download
memory/3448-10-0x00000000066F0000-0x00000000066FC000-memory.dmp

Filesize
48KB

Download
memory/3448-5-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3448-3-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/3448-2-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/3448-9-0x00000000066D0000-0x00000000066E0000-memory.dmp

Filesize
64KB

Download
memory/3448-6-0x0000000005C80000-0x0000000005C8A000-memory.dmp

Filesize
40KB

Download
memory/3448-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/4424-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-122-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-131-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4424-130-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download