remcos | d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8

General

Target

d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe
Size

469KB
MD5

722834785974c29b7422d7d06012ce78
SHA1

f1d099552614514b690a6eaa1db898601dd38ce0
SHA256

d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8
SHA512

2020af70096abef0623a792471eccf2e7cdb44393304d4f50e71dc16cf8e9a185328bc209a5bfc09b67c6dc7d76319b28b2fc249388c4341ab82be6c289e4af8
SSDEEP

12288:Imnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSjn9:4iLJbpI7I2WhQqZ7j9

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

firsyt205919-48538.portmap.host:48538

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%SystemDrive%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
Rmc-MV66H0
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%Temp%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
true
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
2828	remcos.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	cmd.exe
2936	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	iexplore.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2880	2828	remcos.exe	34
PID 2880 set thread context of 2812	2880	iexplore.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	remcos.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	iexplore.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2828	remcos.exe
2880	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2880	iexplore.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 2504	792	d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe	30
PID 792 wrote to memory of 2504	792	d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe	30
PID 792 wrote to memory of 2504	792	d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe	30
PID 792 wrote to memory of 2504	792	d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe	30
PID 2504 wrote to memory of 2936	2504	WScript.exe	31
PID 2504 wrote to memory of 2936	2504	WScript.exe	31
PID 2504 wrote to memory of 2936	2504	WScript.exe	31
PID 2504 wrote to memory of 2936	2504	WScript.exe	31
PID 2936 wrote to memory of 2828	2936	cmd.exe	33
PID 2936 wrote to memory of 2828	2936	cmd.exe	33
PID 2936 wrote to memory of 2828	2936	cmd.exe	33
PID 2936 wrote to memory of 2828	2936	cmd.exe	33
PID 2828 wrote to memory of 2880	2828	remcos.exe	34
PID 2828 wrote to memory of 2880	2828	remcos.exe	34
PID 2828 wrote to memory of 2880	2828	remcos.exe	34
PID 2828 wrote to memory of 2880	2828	remcos.exe	34
PID 2828 wrote to memory of 2880	2828	remcos.exe	34
PID 2880 wrote to memory of 2812	2880	iexplore.exe	35
PID 2880 wrote to memory of 2812	2880	iexplore.exe	35
PID 2880 wrote to memory of 2812	2880	iexplore.exe	35
PID 2880 wrote to memory of 2812	2880	iexplore.exe	35
PID 2880 wrote to memory of 2812	2880	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe
"C:\Users\Admin\AppData\Local\Temp\d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Remcos\remcos.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Remcos\remcos.exe
      C:\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2828
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
362B

MD5
bf073fea4f0dc0dd4396a28625365359

SHA1
ade8ba17f8966408e913ed6fef7f8a74edba4c5f

SHA256
051b2712be665237334d3ce6faa46eb64e7742587736385ea0162c4fa64ba59a

SHA512
f76deba47027204bfce82d62c21b87ec51e1c2f97a4c1575ab7b64fe7de47659d4f1f8a5f228a3446789353d7bf359ddb257d98340c75974139bc3afc002d446

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
184B

MD5
3aafe399cec1196e12fc6e992721ce81

SHA1
7cfe8f41889da61d553923b90ddb662a0391637f

SHA256
1b0845ab0916b4bb12e9eb48e711e440feaafca9a1917f4d4efa0a45cb55e546

SHA512
51f5bc7f7c464b7fe7475926634f441944aef0b2175ef4652d78c5b9cef28bb5cfda83a7db5809512e018abd43f97ff0924c33866ea89b986c25b6a0288ed163

Download Submit
\Remcos\remcos.exe

Filesize
469KB

MD5
722834785974c29b7422d7d06012ce78

SHA1
f1d099552614514b690a6eaa1db898601dd38ce0

SHA256
d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8

SHA512
2020af70096abef0623a792471eccf2e7cdb44393304d4f50e71dc16cf8e9a185328bc209a5bfc09b67c6dc7d76319b28b2fc249388c4341ab82be6c289e4af8

Download Submit
memory/2812-25-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/2812-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2812-24-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/2880-32-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-22-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-19-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-13-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-12-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-28-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-27-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-29-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-30-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-11-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-35-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-36-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-18-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-41-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-42-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-47-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-49-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-54-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-55-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-60-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-61-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-67-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-68-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-73-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download
memory/2880-74-0x00000000000F0000-0x000000000016F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads