Overview

overview

10

Static

static

10

remcos_a.exe

windows7-x64

10

remcos_a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    234s
  • max time network
    236s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    remcos_a.exe

  • Size

    469KB

  • MD5

    722834785974c29b7422d7d06012ce78

  • SHA1

    f1d099552614514b690a6eaa1db898601dd38ce0

  • SHA256

    d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8

  • SHA512

    2020af70096abef0623a792471eccf2e7cdb44393304d4f50e71dc16cf8e9a185328bc209a5bfc09b67c6dc7d76319b28b2fc249388c4341ab82be6c289e4af8

  • SSDEEP

    12288:Imnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSjn9:4iLJbpI7I2WhQqZ7j9

Score
10/10
hawkeyeremcosremotehostcredential_accessdiscoverykeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

firsyt205919-48538.portmap.host:48538

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %SystemDrive%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    Rmc-MV66H0

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %Temp%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    true

  • take_screenshot_time

    5

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
    "C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Remcos\remcos.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Remcos\remcos.exe
          C:\Remcos\remcos.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4040
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4388
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
                PID:3888
              • C:\Windows\SysWOW64\dxdiag.exe
                "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
                6⤵
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:2500
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                6⤵
                  PID:1864
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  6⤵
                    PID:4240
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    6⤵
                      PID:2864
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x500 0x4dc
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4268
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:2516

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Remcos\remcos.exe
            Filesize

            469KB

            MD5

            722834785974c29b7422d7d06012ce78

            SHA1

            f1d099552614514b690a6eaa1db898601dd38ce0

            SHA256

            d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8

            SHA512

            2020af70096abef0623a792471eccf2e7cdb44393304d4f50e71dc16cf8e9a185328bc209a5bfc09b67c6dc7d76319b28b2fc249388c4341ab82be6c289e4af8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\install.vbs
            Filesize

            362B

            MD5

            bf073fea4f0dc0dd4396a28625365359

            SHA1

            ade8ba17f8966408e913ed6fef7f8a74edba4c5f

            SHA256

            051b2712be665237334d3ce6faa46eb64e7742587736385ea0162c4fa64ba59a

            SHA512

            f76deba47027204bfce82d62c21b87ec51e1c2f97a4c1575ab7b64fe7de47659d4f1f8a5f228a3446789353d7bf359ddb257d98340c75974139bc3afc002d446

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
            Filesize

            84KB

            MD5

            f566803d770871bd4b5746aeb68bb12e

            SHA1

            f43313d2fdbe45cdd58a4ca51fbd4307a3ad8a02

            SHA256

            c4ba6e5257449d6f155072e61ccd48e21614db82d46247ad68d63c1a7dc3f467

            SHA512

            f651f4c16a7e17990b4ed8157bbf9937b8cc2b33c7baf64f2e12e6c4d36a30d71ed7c3168991aa8800d11b55390f1f572ccd198f920d90a12053caace8e0d47d

            Download Submit

          • C:\Windows\SysWOW64\remcos\logs.dat
            Filesize

            270B

            MD5

            7321a71bc369a2abc6857af1f7441dd1

            SHA1

            83d40c65a2962c8290a9783a2ff0afa560b12720

            SHA256

            5bf78b1a0d7794ee36e26e336376d3c76640bf727363074b0a710508d01cc40b

            SHA512

            837f50adb1b5a17f83e56ef2e529d08aef1e006cc6d2b6b03400f6bfb88b7a7e0130f66849cf1d8ed236024d59becf5ba24eff8e1cfe81b0696f1f53c476fce6

            Download Submit

          • C:\Windows\SysWOW64\remcos\logs.dat
            Filesize

            344B

            MD5

            362943a23c2b384141026d5500a40ab1

            SHA1

            47d8b7028120faf1d7b05d5878d246a208ea7030

            SHA256

            47e0abd34ae991059ce1adffc06f59cb90a1fab12d657a98f1ef2924fd5ef56c

            SHA512

            0c4a34dbc3730fb49c0ba842bcd848e60c917cf3c0e6665c01fec43e1f6674b90c48d15401df05613edd3af7d61c1757a7a7419ff0c0a3b239b1b645929ccc70

            Download Submit

          • C:\Windows\SysWOW64\remcos\logs.dat
            Filesize

            608B

            MD5

            819fcb972ecc16ed70fc604b4db1aaad

            SHA1

            8743bc2dbf7f3eb7fd80cd878c9626b1d3518998

            SHA256

            4e8d4ebf5d41e9b677136adf77ec58bb600625ec6da901a4dedaccd74f86dc29

            SHA512

            f5ea5f903b54f2c0e43a8e86ea534ba0e883235b2a187f103f3311ad905b69e198c124b47cd18021b0f13bb367cd4109d6e30b6632761ee2c9e4dc36366f4e6a

            Download Submit

          • C:\Windows\SysWOW64\remcos\logs.dat
            Filesize

            672B

            MD5

            bd7a12fa74e854ed0648629728adff94

            SHA1

            4ea2e964c16e51a07ff5561bff7779f2f89b5d34

            SHA256

            0416c1681a2fc671b2abdbf55e347f9d5de340150d01b509ce96c30019e5ed0c

            SHA512

            b43390b0d647d0f5dc4586eb890901c3de609550303227394b4a36e746dfbd66ac8f2ecea88a205f812e0adc8bd3ae0005f6a9554421392b41897c3c575c8e92

            Download Submit

          • C:\Windows\SysWOW64\remcos\logs.dat
            Filesize

            754B

            MD5

            fb3a3deeecf2c31dd21414065cba73a3

            SHA1

            4ffd84fe639b2bbd08dddf9e2748a10214b128df

            SHA256

            ee0c6027039267ee0d90fc4ff864155675ba66d44ce35ec67ff60cd1bf2b6785

            SHA512

            d57bef0c4f79396e0073654d385dff8330e2d5e0fd1a4e2402476475ee753c9ec11f3e55e853f586d5d945d50a977ab1936b634838debe801c4e0339d8af8d3f

            Download Submit

          • C:\Windows\SysWOW64\remcos\logs.dat
            Filesize

            1KB

            MD5

            7e5dac6a53b06004e9bf582259701b23

            SHA1

            59f046ed2944b08c6330a7dcf29790686f0009f1

            SHA256

            4fd9fd0e4f485f2a8f5a7e2a4f520a34636c36c5c79a132081ab38d005b369c7

            SHA512

            b2d82dd8b862b7bf8715b8cbded440cfd12ad2e53607b8be427b376742b57004bf5d0071224a1739051eafe4851a0440dfec4910cbe7b01304b4ae294823cca5

            Download Submit

          • C:\Windows\SysWOW64\remcos\logs.dat
            Filesize

            184B

            MD5

            b88dc8085ff52e20922fc006e5984489

            SHA1

            122b7c6c5934c239562d539a880cc8fd1c53707b

            SHA256

            af33cd746d697607a7e0fe64f38341dd3fcc4d04965eb2871c8e4600ce85a520

            SHA512

            b46fe1725d707d249efadc1adef79ec79ab896e4043c7e247c7d6a1817902a72bc869516cec45bac26ed841b847292e103b04da2ba47b92c67e5d638f867d0f9

            Download Submit

          • memory/2500-68-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-65-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-66-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-67-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-69-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-70-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-64-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-60-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-59-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2500-58-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3888-22-0x0000000000880000-0x00000000008FF000-memory.dmp

            Filesize

            508KB

            Download

          • memory/3888-23-0x0000000000880000-0x00000000008FF000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-29-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-33-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-41-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-42-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-44-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-45-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-46-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-47-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-49-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-51-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-39-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-53-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-54-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-55-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-56-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-57-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-38-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-37-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-34-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-40-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-32-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-31-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-30-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-28-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-27-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-26-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-84-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-24-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-88-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-96-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-97-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-12-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-17-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-21-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-11-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-10-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4388-9-0x0000000000500000-0x000000000057F000-memory.dmp

            Filesize

            508KB

            Download