remcos | d138d810c8b0d8770b31b62f87a2b51bdf33ac1920b41a80007ed718397e7390

General

Target

HOTFIX.exe
Size

92KB
MD5

49dea8978a30fad5001a5f689b7f15e1
SHA1

317c883761e60af918ab9748d7417d931963849f
SHA256

d138d810c8b0d8770b31b62f87a2b51bdf33ac1920b41a80007ed718397e7390
SHA512

dc3c29adbd1ad52bcba7fb0b24985798abc51c90984f3b556b448380c036407b92bf6f4275252c0e864b330aea00de6f0096945286f28be1a415fde20833c0dd
SSDEEP

1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP60rj:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+3

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

to-adam.gl.at.ply.gg:65290

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_icbwxxlmpc
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%Temp%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	HOTFIX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	HOTFIX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HOTFIX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	HOTFIX.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	HOTFIX.exe

Executes dropped EXE 1 IoCs

pid	Process
4448	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	HOTFIX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	HOTFIX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	HOTFIX.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4448 set thread context of 4052	4448	remcos.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2072	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4448	remcos.exe
4448	remcos.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4052	iexplore.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1436	3080	HOTFIX.exe	85
PID 3080 wrote to memory of 1436	3080	HOTFIX.exe	85
PID 3080 wrote to memory of 1436	3080	HOTFIX.exe	85
PID 1436 wrote to memory of 2072	1436	cmd.exe	87
PID 1436 wrote to memory of 2072	1436	cmd.exe	87
PID 1436 wrote to memory of 2072	1436	cmd.exe	87
PID 1436 wrote to memory of 4448	1436	cmd.exe	88
PID 1436 wrote to memory of 4448	1436	cmd.exe	88
PID 1436 wrote to memory of 4448	1436	cmd.exe	88
PID 4448 wrote to memory of 4052	4448	remcos.exe	89
PID 4448 wrote to memory of 4052	4448	remcos.exe	89
PID 4448 wrote to memory of 4052	4448	remcos.exe	89
PID 4448 wrote to memory of 4052	4448	remcos.exe	89
PID 4448 wrote to memory of 4052	4448	remcos.exe	89
PID 4448 wrote to memory of 4052	4448	remcos.exe	89
PID 4448 wrote to memory of 4052	4448	remcos.exe	89
PID 4448 wrote to memory of 4052	4448	remcos.exe	89
PID 4448 wrote to memory of 4052	4448	remcos.exe	89

C:\Users\Admin\AppData\Local\Temp\HOTFIX.exe
"C:\Users\Admin\AppData\Local\Temp\HOTFIX.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2072
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
99B

MD5
76c1687d97dfdbcea62ef1490bec5001

SHA1
5f4d1aeafa7d840cde67b76f97416dd68efd1bed

SHA256
79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

SHA512
da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Filesize
92KB

MD5
49dea8978a30fad5001a5f689b7f15e1

SHA1
317c883761e60af918ab9748d7417d931963849f

SHA256
d138d810c8b0d8770b31b62f87a2b51bdf33ac1920b41a80007ed718397e7390

SHA512
dc3c29adbd1ad52bcba7fb0b24985798abc51c90984f3b556b448380c036407b92bf6f4275252c0e864b330aea00de6f0096945286f28be1a415fde20833c0dd

Download Submit
memory/4052-9-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads