remcos | b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221 | Triage

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 12:13

Sharing

Report Analysis Logs

General

Target

b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe
Size

4.7MB
MD5

a7abe07ba9c225d72c53f66de3d83883
SHA1

9c0793fb9295b089b48fb09ecc2bc5e4618bbf21
SHA256

b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221
SHA512

45a37fe8d66392470c8615d2988f7a87f25120854b7717744eb83ac7447af3e23d76d429c71b923c0a649c3d74f2f7e698fa70d46388303aef1df46710c0ff73
SSDEEP

98304:Xhn+a5KLmrA7Rr84YePQfjGf8GbBIFdeFhbx770Jh5Rq+3mrYKKQBjfudAPwE:Xh+aECrA7F84If28G9IFo3x770JL2rdx

Score

10^/10

remcos giga10 rat rezer0

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

giga10

C2

CEDSXoissLv2NiM.club:5762

PgqduOYXVZeNNam.xyz:5762

USd7O88wEMlUtX5.xyz:5762

pMfiryhhkiN98Px.xyz:5762

Se2Qwz60L2OxZNM.xyz:5762

GWtY0fiG58DCq6F.xyz:5762

maui16azsncpo97.info:5762

mj99puoba6c3gun.info:5762

tu90to3b4q4uqze.info:5762

cwt1u0vv8ic357ov.info:5762

agaoajz1hrvevre.info:5762

poykoqnl7jkj632.info:5762

cbiq1neygyp1wno.info:5762

BCBNcQ393Z3HPLQ.club:5762

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-UQ8E24
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

resource	yara_rule
behavioral2/memory/3096-10-0x0000000006C30000-0x0000000006C5E000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3096 set thread context of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe
3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 860	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	85
PID 3096 wrote to memory of 860	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	85
PID 3096 wrote to memory of 860	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	85
PID 3096 wrote to memory of 700	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	87
PID 3096 wrote to memory of 700	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	87
PID 3096 wrote to memory of 700	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	87
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88
PID 3096 wrote to memory of 4680	3096	b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe	88

C:\Users\Admin\AppData\Local\Temp\b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe
"C:\Users\Admin\AppData\Local\Temp\b8e01564b3cb1cbef42d0622112d53bcff11b3ae25baf684c1953f0a1c9c9221.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YrztqVJUmKh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB006.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB006.tmp

Filesize
1KB

MD5
899a32c5176fd2fac6404ddbb0975a55

SHA1
7d0b52a88691e307491a18ce5b2d59ede1829822

SHA256
45c9e21d199c6f3476b7e72088e092fab342c21a2b875ab771c37cbdfe66593f

SHA512
2f3fa512d7af5bada35f0d39d79daeacbeefb008e91d65b92484f956a5dbbffadeb70e31efb10c2bfdd0288b314296ef18489a86843f39156d41397c4a0b9f71

Download Submit
memory/3096-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/3096-1-0x0000000000250000-0x0000000000710000-memory.dmp

Filesize
4.8MB

Download
memory/3096-2-0x0000000005600000-0x0000000005BA4000-memory.dmp

Filesize
5.6MB

Download
memory/3096-3-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/3096-4-0x0000000005230000-0x0000000005286000-memory.dmp

Filesize
344KB

Download
memory/3096-5-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/3096-6-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/3096-7-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/3096-8-0x0000000006820000-0x0000000006B74000-memory.dmp

Filesize
3.3MB

Download
memory/3096-9-0x0000000006BA0000-0x0000000006BB2000-memory.dmp

Filesize
72KB

Download
memory/3096-10-0x0000000006C30000-0x0000000006C5E000-memory.dmp

Filesize
184KB

Download
memory/3096-11-0x0000000006D00000-0x0000000006D9C000-memory.dmp

Filesize
624KB

Download
memory/3096-25-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4680-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-38-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4680-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download