Malware Analysis Report

2025-01-02 03:03

Sample ID 240812-gma6nssekg
Target remcos_a.exe
SHA256 1aa8e0e39ef44f0906f9f8036df2eff25f53c985a22b24c4f8ac994c3cd5e6d2
Tags
remcos remotehost discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1aa8e0e39ef44f0906f9f8036df2eff25f53c985a22b24c4f8ac994c3cd5e6d2

Threat Level: Known bad

The file remcos_a.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery rat

Remcos

Remcos family

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:54

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:54

Reported

2024-08-12 05:56

Platform

win7-20240704-en

Max time kernel

81s

Max time network

79s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2292 set thread context of 2012 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2012 set thread context of 3056 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SplitTest.M2T"

Network

Country Destination Domain Proto
N/A 192.168.1.252:2404 tcp
N/A 192.168.1.252:2404 tcp
N/A 192.168.1.252:2404 tcp
N/A 192.168.1.252:2404 tcp

Files

memory/2012-2-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2012-4-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2012-8-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2012-5-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2012-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-15-0x0000000000110000-0x0000000000192000-memory.dmp

memory/3056-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2012-12-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/3056-17-0x0000000000110000-0x0000000000192000-memory.dmp

memory/3056-18-0x0000000000110000-0x0000000000192000-memory.dmp

memory/2012-20-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/3056-23-0x0000000000110000-0x0000000000192000-memory.dmp

memory/2664-27-0x000007FEFB630000-0x000007FEFB664000-memory.dmp

memory/2664-26-0x000000013FD60000-0x000000013FE58000-memory.dmp

memory/2664-29-0x000007FEFB940000-0x000007FEFB958000-memory.dmp

memory/2664-30-0x000007FEFB8E0000-0x000007FEFB8F7000-memory.dmp

memory/2664-31-0x000007FEF7D50000-0x000007FEF7D61000-memory.dmp

memory/2664-32-0x000007FEF7D30000-0x000007FEF7D47000-memory.dmp

memory/2664-33-0x000007FEF7D10000-0x000007FEF7D21000-memory.dmp

memory/2664-34-0x000007FEF7CF0000-0x000007FEF7D0D000-memory.dmp

memory/2664-28-0x000007FEF6790000-0x000007FEF6A46000-memory.dmp

memory/2664-35-0x000007FEF7C40000-0x000007FEF7C51000-memory.dmp

memory/2664-37-0x000007FEF54D0000-0x000007FEF56DB000-memory.dmp

memory/2664-38-0x000007FEF7780000-0x000007FEF77C1000-memory.dmp

memory/2664-36-0x000007FEF56E0000-0x000007FEF6790000-memory.dmp

memory/2664-39-0x000007FEF71A0000-0x000007FEF71C1000-memory.dmp

memory/2664-40-0x000007FEF7730000-0x000007FEF7748000-memory.dmp

memory/2664-41-0x000007FEF7180000-0x000007FEF7191000-memory.dmp

memory/2664-42-0x000007FEF7160000-0x000007FEF7171000-memory.dmp

memory/2664-43-0x000007FEF7140000-0x000007FEF7151000-memory.dmp

memory/2664-44-0x000007FEF6C50000-0x000007FEF6C6B000-memory.dmp

memory/2664-45-0x000007FEF6C30000-0x000007FEF6C41000-memory.dmp

memory/2664-48-0x000007FEF6C10000-0x000007FEF6C28000-memory.dmp

memory/2664-49-0x000007FEF6BE0000-0x000007FEF6C10000-memory.dmp

memory/2664-50-0x000007FEF6B70000-0x000007FEF6BD7000-memory.dmp

memory/2664-51-0x000007FEF4E20000-0x000007FEF4E9C000-memory.dmp

memory/2664-52-0x000007FEF49B0000-0x000007FEF49C1000-memory.dmp

memory/2664-53-0x000007FEF46B0000-0x000007FEF4707000-memory.dmp

memory/2664-54-0x000007FEF48A0000-0x000007FEF48C8000-memory.dmp

memory/2664-55-0x000007FEF4870000-0x000007FEF4894000-memory.dmp

memory/2664-56-0x000007FEF4830000-0x000007FEF4848000-memory.dmp

memory/2664-57-0x000007FEF4800000-0x000007FEF4823000-memory.dmp

memory/2664-58-0x000007FEF47E0000-0x000007FEF47F1000-memory.dmp

memory/2664-59-0x000007FEF47C0000-0x000007FEF47D2000-memory.dmp

memory/2664-60-0x000007FEF4790000-0x000007FEF47B1000-memory.dmp

memory/2664-61-0x000007FEF4770000-0x000007FEF4783000-memory.dmp

memory/2664-72-0x000000013FD60000-0x000000013FE58000-memory.dmp

memory/2664-74-0x000007FEF6790000-0x000007FEF6A46000-memory.dmp

memory/2664-73-0x000007FEFB630000-0x000007FEFB664000-memory.dmp

memory/2664-75-0x000007FEF56E0000-0x000007FEF6790000-memory.dmp

memory/2012-77-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2012-78-0x0000000000130000-0x00000000001B2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7e6c1d8d37a2fa0d97dcee7b70a1ee64
SHA1 ea43a941f27158e6aa7f32993eb86b48cdefb822
SHA256 8e0f7dd40b6dadb8405109dff0c45269958c748b046e777388b265d94306ce60
SHA512 40672b779329044f6a4c02abbbeec9bde1d0819edf2228dbf02704567a30ff609f8d0cc5de8a20b4b02569e6f88b5bb432f163aa738f5992708233f43ba479bc

memory/2012-83-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2012-84-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2012-89-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2012-91-0x0000000000130000-0x00000000001B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:54

Reported

2024-08-12 05:57

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4672 set thread context of 5056 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 5056 set thread context of 3532 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
N/A 192.168.1.252:2404 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 192.168.1.252:2404 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
N/A 192.168.1.252:2404 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 192.168.1.252:2404 tcp
N/A 192.168.1.252:2404 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.252:2404 tcp
N/A 192.168.1.252:2404 tcp

Files

memory/5056-0-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-1-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-3-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-10-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/3532-11-0x0000000000C00000-0x0000000000C82000-memory.dmp

memory/5056-9-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-6-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-2-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/3532-13-0x0000000000C00000-0x0000000000C82000-memory.dmp

memory/3532-12-0x0000000000C00000-0x0000000000C82000-memory.dmp

memory/3532-14-0x0000000000C00000-0x0000000000C82000-memory.dmp

memory/5056-19-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-20-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-21-0x0000000000C40000-0x0000000000CC2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 ce9409567a06261b3844a8ff356b6944
SHA1 999a145ccf64d78ed1d267d54399777cebda30eb
SHA256 a32df2593438506f117f1a396866a3972b34fb242f7f2eb773594ba158d27ea1
SHA512 864626a34c900ce6bdda07e6a8db630b24fa9157e0098f1ef6db661a8181d657cc37144b74fc22f12fcf5b9be442544f64b73e22e15a976ce620ba11362ea297

memory/5056-26-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-27-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-32-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-34-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-39-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-40-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-45-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-46-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-52-0x0000000000C40000-0x0000000000CC2000-memory.dmp

memory/5056-53-0x0000000000C40000-0x0000000000CC2000-memory.dmp