remcos | 5e30143f53af82ff891d9801ccff6b30e3dc7f3401bba597accb26e2d3b8b25d

Analysis

max time kernel
20s
max time network
21s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Офіційний запит 398м24-7, № 399м24-7 .pdf.exe
Size

1.6MB
MD5

22baf6cfab80de22a7d00099d3400ab6
SHA1

1a47982298977bc37e9e5d732a3aecd62e1a5840
SHA256

5e30143f53af82ff891d9801ccff6b30e3dc7f3401bba597accb26e2d3b8b25d
SHA512

701f1903455b24a77ba09ebb8fed8097146f39220b52fce84ee6999192f39a4af4b60f37e8db376e755835825c78f3b0bd7320febecf0293748d8cf3ccb53dfa
SSDEEP

24576:/7tqPO/71AS1UmAZLE6GwB6SuRoEPmXG1Y5j9Z3Q+BYPGK4Y81htTIcDFO8csqJ:Rj/zRAZLEqcoAmXKYZrQ+iP6zacTVqJ

Score

10^/10

remcos hts1 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

HTS1

77.105.161.52:8080

77.105.161.52:80

77.105.161.52:4899

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
HuN-4TNFT1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2768 created 1444	2768	Smithsonian.pif	20

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeSync.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeSync.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	Smithsonian.pif

Loads dropped DLL 1 IoCs

pid	Process
1700	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2028	tasklist.exe
1912	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BottleDeveloper	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe
File opened for modification	C:\Windows\AppointmentWr	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe
File opened for modification	C:\Windows\BermudaMotorcycle	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe
File opened for modification	C:\Windows\RequiresSalary	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Smithsonian.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	tasklist.exe
Token: SeDebugPrivilege	1912	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2768	Smithsonian.pif
2768	Smithsonian.pif
2768	Smithsonian.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	Smithsonian.pif

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1700	2508	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe	29
PID 2508 wrote to memory of 1700	2508	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe	29
PID 2508 wrote to memory of 1700	2508	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe	29
PID 2508 wrote to memory of 1700	2508	Офіційний запит 398м24-7, № 399м24-7 .pdf.exe	29
PID 1700 wrote to memory of 2028	1700	cmd.exe	31
PID 1700 wrote to memory of 2028	1700	cmd.exe	31
PID 1700 wrote to memory of 2028	1700	cmd.exe	31
PID 1700 wrote to memory of 2028	1700	cmd.exe	31
PID 1700 wrote to memory of 2340	1700	cmd.exe	32
PID 1700 wrote to memory of 2340	1700	cmd.exe	32
PID 1700 wrote to memory of 2340	1700	cmd.exe	32
PID 1700 wrote to memory of 2340	1700	cmd.exe	32
PID 1700 wrote to memory of 1912	1700	cmd.exe	34
PID 1700 wrote to memory of 1912	1700	cmd.exe	34
PID 1700 wrote to memory of 1912	1700	cmd.exe	34
PID 1700 wrote to memory of 1912	1700	cmd.exe	34
PID 1700 wrote to memory of 2716	1700	cmd.exe	35
PID 1700 wrote to memory of 2716	1700	cmd.exe	35
PID 1700 wrote to memory of 2716	1700	cmd.exe	35
PID 1700 wrote to memory of 2716	1700	cmd.exe	35
PID 1700 wrote to memory of 2828	1700	cmd.exe	36
PID 1700 wrote to memory of 2828	1700	cmd.exe	36
PID 1700 wrote to memory of 2828	1700	cmd.exe	36
PID 1700 wrote to memory of 2828	1700	cmd.exe	36
PID 1700 wrote to memory of 2832	1700	cmd.exe	37
PID 1700 wrote to memory of 2832	1700	cmd.exe	37
PID 1700 wrote to memory of 2832	1700	cmd.exe	37
PID 1700 wrote to memory of 2832	1700	cmd.exe	37
PID 1700 wrote to memory of 2756	1700	cmd.exe	38
PID 1700 wrote to memory of 2756	1700	cmd.exe	38
PID 1700 wrote to memory of 2756	1700	cmd.exe	38
PID 1700 wrote to memory of 2756	1700	cmd.exe	38
PID 1700 wrote to memory of 2768	1700	cmd.exe	39
PID 1700 wrote to memory of 2768	1700	cmd.exe	39
PID 1700 wrote to memory of 2768	1700	cmd.exe	39
PID 1700 wrote to memory of 2768	1700	cmd.exe	39
PID 1700 wrote to memory of 2656	1700	cmd.exe	40
PID 1700 wrote to memory of 2656	1700	cmd.exe	40
PID 1700 wrote to memory of 2656	1700	cmd.exe	40
PID 1700 wrote to memory of 2656	1700	cmd.exe	40
PID 2768 wrote to memory of 2612	2768	Smithsonian.pif	41
PID 2768 wrote to memory of 2612	2768	Smithsonian.pif	41
PID 2768 wrote to memory of 2612	2768	Smithsonian.pif	41
PID 2768 wrote to memory of 2612	2768	Smithsonian.pif	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\Офіційний запит 398м24-7, № 399м24-7 .pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Офіційний запит 398м24-7, № 399м24-7 .pdf.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Classifieds Classifieds.cmd & Classifieds.cmd & exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1912
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 182347
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "emissionconsequencepermissionsfetish" Mike
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Dependent + Madrid + Generation + Saint + Appeal + Tahoe + Frequently + Customise + Offered + Clarke 182347\X
      4⤵
      System Location Discovery: System Language Discovery
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\182347\Smithsonian.pif
      Smithsonian.pif X
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2768
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeSync.url" & echo URL="C:\Users\Admin\AppData\Local\TradeOptimize Dynamics\TradeSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeSync.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\182347\X

Filesize
693KB

MD5
65da721b81ac6e83b31ddcfda3d5751e

SHA1
d38ea2ca5bd3b2923648b666a9fc6402dc1a7979

SHA256
3a0a0dde10d63f6f4c1e718421e58b2ebb35ed7dd6b69d61387c97ab338cf5d9

SHA512
6be86698b2f4185e96dea486a150ea712dd16752ded784a866aa7f9082b71209202cdc977a08d7f9a52fecbd030d348b50de87f0655ed29617b659dfdaa4fd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Appeal

Filesize
77KB

MD5
1c0c3ca86897dad169da75d4279ded06

SHA1
beb1b17d88b2f01cb717a1534040dde9277be0e0

SHA256
a3f0c17c8962747b82a7bfad2dc6b7a6478aa011e2b633e6c5e2165abe823c35

SHA512
52219cb790289d5be05e04ff472c57cccee01b190717d6a24fed64d22f74d2423187e762b9873eb33875698b06f5e3c56e05161d6fc9d7b3f1d623a43474d7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clarke

Filesize
23KB

MD5
a557dd5a1fc44f3db0ae01f99cb75fbd

SHA1
e7b5ef1ae204f741327623085ccbcfbcce6fc010

SHA256
36502d3bb59f393fab100ef885833b5f7f47325928cc6c385ebf6b8f74cb4adb

SHA512
192fba9868be606edea1e91a2118b93ea32d8c6aecd73e01864806e1e251c527dc0fd88c31fc1aa1aa2c34fc000418a5da9d77dc113738dc9c2eb32d910e5f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Classifieds

Filesize
22KB

MD5
53b32fc4786bf60001089e6568e735a9

SHA1
0c1417b75938c0d2ed709ebaaa983188bfc79539

SHA256
2d0e5d2d026a90b9dc9db1ca74e8492df332f43370039ec0e6a5e355872af31e

SHA512
ca23c5bf161f474feb67569e2dc0233bde8b14df787dc27d567dae087300cf65638c4b9fbf9ee4202e759eb93099c7b153f000f72b1b80034471d0e91c6c2768

Download Submit
C:\Users\Admin\AppData\Local\Temp\Customise

Filesize
54KB

MD5
eca0781965789a25ede4eadb10f65084

SHA1
8e632adcfa6f374e600f3f3d75b43f7c83df7e7e

SHA256
ae7564d0cd200f2f5bb9f5eabcaf1a48fe72b630eb214ea9c19eac2e99d474a4

SHA512
2224c092298a6f179ea9d542e4aa65e8ce09c1e797f644f66773ce7d7d1f34ae4f1b2060ba751a19ffca56840268116c09f088762fced816971415a0a44ec0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dependent

Filesize
93KB

MD5
0013345213d9d2c9f32fc2f697de4ccf

SHA1
d3a0b9bb2732da54a8b346c38d0baaacbb88321a

SHA256
b5c2067c7de67589e373b9c7d4592d54721a23ff84ef07f98546c769c0eee6d9

SHA512
504030c5876493433d2bfe143a0fb7a455785623bed2467eaa3b90fe87a8309cb7ff6fc404a15af7d32f3acfaea4bc2c7ac27c590cbfe22438f86feaef630d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Frequently

Filesize
65KB

MD5
d1e2957ea6a5a5442b9e0d05b931d909

SHA1
9bf6162c35eaf8eb6eacdd5698a74335788213cd

SHA256
ebe9182490f919eaeaca6e0754541f91e029977ea3de86cae50c229a12f246a8

SHA512
458d945f9e89fcbd162bc9338fbbff65641637ef11b7210639168b5b1b0f12574d1178443edacdd4b277426938585ee1957519bdc2e60e629853388c4ccf1fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Generation

Filesize
55KB

MD5
2a3d2502d6d476bcd8f68dcb832a4191

SHA1
9269cf65f98a264ed7ced39e000d2f45f263a378

SHA256
b51695aef4f93fdaa857d19b59153a0b3a7cfdf699e4fcaf9a9eabcf1548e00c

SHA512
d28c767b09961a7116836bdc3a35f5800cf16b96030ffb07266d4e882e0f2334ba92a51fb14fe8c9217ab8e764b3c2d5efe7fe5f016cdd2817b178f6ccea1f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madrid

Filesize
63KB

MD5
cbb763cc620c0afc95a37d6380906750

SHA1
9d241651c2398119f2130a1e045883d4ca45476d

SHA256
e842fe1639f803b4b3db2be398b5666cf20093ff3dc9cff880d11ed59ece495b

SHA512
abc35fa1f6612829d499ff261ae426f21eccf2826ca6de1f7895e5abfdf874c5f8e2ef943a3df288e0f94710cce383b1349f6e69a36cc406f7f7c7f7039a09f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mike

Filesize
1001B

MD5
77434bd6b0b0e0e3ddcadf887b926de3

SHA1
a8f1d634d5b8c484d61495f49459ac7cac6a6f82

SHA256
9100c5a87151896ca34b490c8c6cc3a44e3b8bf639b608def782c705d31cc7ca

SHA512
16051de6be8b76a6ffe790ddcfdb65db47d3d5d4ac1f94b9be7e75bcefbc4f379fc315f24e4ddd828861acc3529932023b8f8b74bdc3f13b749182565a186492

Download Submit
C:\Users\Admin\AppData\Local\Temp\Offered

Filesize
89KB

MD5
fbfbb1157f8e10ad51415668a5ceb380

SHA1
1b8db437c722de51114017b2690a8b47c32767dd

SHA256
eea68323553d6db71bd678b6ba3a72ce03d072059b2813db6ce9edce16bf687c

SHA512
aadfb417d33a4cf2c0519b8108253f1c373f5d4890eaa65ecb26825a144eb36949fcb924c98fa360cab96939560f975b4762f08b3e913748a76d27f4d7c25ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Saint

Filesize
97KB

MD5
ce5ee0b65ea2e2b4a023e5a8f9205325

SHA1
da2ac81dfbfb8d04ec02db5bb134222bc416ea7f

SHA256
d53979118946de162d62ac431837c78250d091e851a6c575f50d32bd24ddb801

SHA512
c511ed07168aaa74470f598b5b7d5e6e8c722c386191991e140deb206e82d82b4f3f6fecbcece62e96e02adf9235668db94f2dbee62d79233f21aeefca520487

Download Submit
C:\Users\Admin\AppData\Local\Temp\Saying

Filesize
871KB

MD5
4e8fa7c83a3075cd11057b16ae187d28

SHA1
bf3cdd53fe7b7d76b2249bd74e0333f1a0c43b17

SHA256
5d3e3697e4233e1e782699b0a0d63425d1ccec787b1e2235d0e3a9568551a971

SHA512
c62c3a170ccc5aa9ad446db10f221b44757042ffd473cb1d849a3329509b2f63e6f8c29d5d1a21e6d2f4dbdcdfbcb245ff3c66c7e71f907bae82a364df8ca88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tahoe

Filesize
77KB

MD5
b6acbe976c12b8564acec42de3172ceb

SHA1
346400a24c3a95e3b58a4a1d28cb98df74de4983

SHA256
92af2b7ef5e19e950b9528669644229f90f85e18449de330ecba5bfb1ec1ec2a

SHA512
8c39e0a13b0ef49a3c1ac9aa65d670695dd4bfecf3cb12bd831a0ab222831580b9ee2c20a84a404af5a06d91907703a6fe702b1388b402913bedebf967f7681e

Download Submit
\Users\Admin\AppData\Local\Temp\182347\Smithsonian.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2768-48-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-43-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-42-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-41-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-47-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-46-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-45-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-44-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-52-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-53-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-49-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download
memory/2768-54-0x0000000003950000-0x00000000039D2000-memory.dmp

Filesize
520KB

Download