remcos | d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8

General

Target

remcos_a.exe
Size

469KB
MD5

722834785974c29b7422d7d06012ce78
SHA1

f1d099552614514b690a6eaa1db898601dd38ce0
SHA256

d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8
SHA512

2020af70096abef0623a792471eccf2e7cdb44393304d4f50e71dc16cf8e9a185328bc209a5bfc09b67c6dc7d76319b28b2fc249388c4341ab82be6c289e4af8
SSDEEP

12288:Imnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSjn9:4iLJbpI7I2WhQqZ7j9

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

firsyt205919-48538.portmap.host:48538

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%SystemDrive%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
Rmc-MV66H0
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%Temp%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
true
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

2264 remcos.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2352 cmd.exe
2352 cmd.exe

pid	process
2264	remcos.exe

pid	process
2352	cmd.exe
2352	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

remcos_a.exeremcos.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	remcos_a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Remcos\\remcos.exe\""	remcos_a.exe

Drops file in System32 directory 2 IoCs

Processes:

iexplore.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

remcos.exeiexplore.exe

description	pid	process	target process
PID 2264 set thread context of 2268	2264	remcos.exe	iexplore.exe
PID 2268 set thread context of 2692	2268	iexplore.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.execmd.exeremcos.exeiexplore.exeremcos_a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

remcos.exe

pid process

2264 remcos.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

remcos.exeiexplore.exe

pid process

2264 remcos.exe
2268 iexplore.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2268 iexplore.exe

pid	process
2264	remcos.exe

pid	process
2264	remcos.exe
2268	iexplore.exe

pid	process
2268	iexplore.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

remcos_a.exeWScript.execmd.exeremcos.exeiexplore.exe

description	pid	process	target process
PID 276 wrote to memory of 2472	276	remcos_a.exe	WScript.exe
PID 276 wrote to memory of 2472	276	remcos_a.exe	WScript.exe
PID 276 wrote to memory of 2472	276	remcos_a.exe	WScript.exe
PID 276 wrote to memory of 2472	276	remcos_a.exe	WScript.exe
PID 2472 wrote to memory of 2352	2472	WScript.exe	cmd.exe
PID 2472 wrote to memory of 2352	2472	WScript.exe	cmd.exe
PID 2472 wrote to memory of 2352	2472	WScript.exe	cmd.exe
PID 2472 wrote to memory of 2352	2472	WScript.exe	cmd.exe
PID 2352 wrote to memory of 2264	2352	cmd.exe	remcos.exe
PID 2352 wrote to memory of 2264	2352	cmd.exe	remcos.exe
PID 2352 wrote to memory of 2264	2352	cmd.exe	remcos.exe
PID 2352 wrote to memory of 2264	2352	cmd.exe	remcos.exe
PID 2264 wrote to memory of 2268	2264	remcos.exe	iexplore.exe
PID 2264 wrote to memory of 2268	2264	remcos.exe	iexplore.exe
PID 2264 wrote to memory of 2268	2264	remcos.exe	iexplore.exe
PID 2264 wrote to memory of 2268	2264	remcos.exe	iexplore.exe
PID 2264 wrote to memory of 2268	2264	remcos.exe	iexplore.exe
PID 2268 wrote to memory of 2692	2268	iexplore.exe	svchost.exe
PID 2268 wrote to memory of 2692	2268	iexplore.exe	svchost.exe
PID 2268 wrote to memory of 2692	2268	iexplore.exe	svchost.exe
PID 2268 wrote to memory of 2692	2268	iexplore.exe	svchost.exe
PID 2268 wrote to memory of 2692	2268	iexplore.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Remcos\remcos.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Remcos\remcos.exe
      C:\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2264
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Remcos\remcos.exe

Filesize
469KB

MD5
722834785974c29b7422d7d06012ce78

SHA1
f1d099552614514b690a6eaa1db898601dd38ce0

SHA256
d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8

SHA512
2020af70096abef0623a792471eccf2e7cdb44393304d4f50e71dc16cf8e9a185328bc209a5bfc09b67c6dc7d76319b28b2fc249388c4341ab82be6c289e4af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
362B

MD5
bf073fea4f0dc0dd4396a28625365359

SHA1
ade8ba17f8966408e913ed6fef7f8a74edba4c5f

SHA256
051b2712be665237334d3ce6faa46eb64e7742587736385ea0162c4fa64ba59a

SHA512
f76deba47027204bfce82d62c21b87ec51e1c2f97a4c1575ab7b64fe7de47659d4f1f8a5f228a3446789353d7bf359ddb257d98340c75974139bc3afc002d446

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
270B

MD5
16452639d1beee2ba0d8dabf907e07b4

SHA1
7e6f22a22fd8e0b87415c8902fb62631da9b0305

SHA256
413ce18e9b3dd597042daf50382fedf02b9501db1cb6a8378dc3529207019e51

SHA512
e701e458a30daf1e55edb9b59caea6b5f3ea0f0f075920a25a4a53f171a914401bbf90ed2c5d93d3cc6d6b74f09d54349797f3bd94638d891c4d76aa5d76535d

Download Submit
memory/2268-30-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-41-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-32-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-19-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-18-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-21-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-31-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-50-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-51-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-27-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-26-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-28-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-29-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2268-53-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-13-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-33-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-34-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-37-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-38-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-39-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-40-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-12-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-42-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-43-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-11-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2268-49-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/2692-24-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/2692-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-23-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads