remcos | 36983e119052d1e3e4ebfc91dd66e33d22276600e2bfc5e17ce7f7122c7e482f

Analysis

max time kernel
284s
max time network
277s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-09-2024 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remcos v5.1.2 Light.exe
Size

38.6MB
MD5

aab49a7f7deba6b74049cea33dffb78f
SHA1

11da313168c80b3eedcb5fe014c9403e64d5af11
SHA256

e5387b78af0633c16fe10091130a69869d0ba984e472d5f0a9e01d4f1c7385a8
SHA512

fc03b18b10f5c08fd12abf17f0b12183932e610e9e297a2c960a3bba8e9907b866b957e82ece70cd6517efc4872859eda587f76804969106197a1f015ab1004b
SSDEEP

786432:E3C/xVfmzayg/pr61bCYH9tIiqZUX0W8JxkvgMWhcxbgrWi56oO:E36RG1/bIiqZUXyJxjc1ProO

Score

10^/10

remcos discovery rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 5 IoCs

pid	Process
3484	remcos_a.exe
2780	remcos_a.exe
3972	remcos_a.exe
232	remcos_a.exe
5044	remcos_a.exe

Loads dropped DLL 2 IoCs

pid	Process
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4776	3484	WerFault.exe	81
4848	2780	WerFault.exe	87
2220	3972	WerFault.exe	90
4792	232	WerFault.exe	93
2004	5044	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos v5.1.2 Light.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Remcos v5.1.2 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Remcos v5.1.2 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Remcos v5.1.2 Light.exe
Key created	\Registry\User\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\NotificationData	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Remcos v5.1.2 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Remcos v5.1.2 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Remcos v5.1.2 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Remcos v5.1.2 Light.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1860	Remcos v5.1.2 Light.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1860	Remcos v5.1.2 Light.exe
1860	Remcos v5.1.2 Light.exe

C:\Users\Admin\AppData\Local\Temp\Remcos v5.1.2 Light.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v5.1.2 Light.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3996

C:\Users\Admin\Documents\remcos_a.exe
"C:\Users\Admin\Documents\remcos_a.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 628
  2⤵
  - Program crash
  PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3484 -ip 3484
1⤵
PID:4540

C:\Users\Admin\Documents\remcos_a.exe
"C:\Users\Admin\Documents\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:2780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 604
  2⤵
  - Program crash
  PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2780 -ip 2780
1⤵
PID:2440

C:\Users\Admin\Documents\remcos_a.exe
"C:\Users\Admin\Documents\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 596
  2⤵
  - Program crash
  PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3972 -ip 3972
1⤵
PID:2036

C:\Users\Admin\Documents\remcos_a.exe
"C:\Users\Admin\Documents\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 596
  2⤵
  - Program crash
  PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 232 -ip 232
1⤵
PID:4348

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 628
  2⤵
  - Program crash
  PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5044 -ip 5044
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BuilderProfiles\DefaultProfile.ini

Filesize
398B

MD5
87b2d9f287e386304071ab0367b2f162

SHA1
e1cc7002d96913fa2d9bda2fe23a136fbf6dba43

SHA256
d50671403045ef77352966fdc83b71505b42a89efb791a0e9a27b3fc1033da86

SHA512
f154757d2cf08a9321fa00b7a6eb8728d20e12d3370d9b647e58757bf7d797950ac453da712718e181e4628b38adfb91bd3544c671f11c02bfce344196a9f4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
81B

MD5
ea6a6b33d6dfd1224c53d3e9c9890637

SHA1
c61fb7d50904c4f676188b0c9c34adb91a796e80

SHA256
b248e460bd1eb7770ee309f21cc7a1a992a6fe245e9487293e107a34f994a875

SHA512
df261cc149b6145943cbe1cfc940315c1db3611e3c6054651b8470b00b2fe6dc89feb1de3c0f67aa677e70c679af1bada419c84c62f049e5b674f6bfd59bb529

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
102B

MD5
8a26c698fbbe6e9092708ebfbb05a76b

SHA1
93b2a33eba6f7d437002b0676016596d005ff316

SHA256
7e2c1b46817e5ba06f01ef906ef0630fc7f3c518fa9d5e9b6f5d96543723cfac

SHA512
779c95144ca4a0ed52de337a2c1a76e25e479c0eeea690b2d43d635c784c059ecd3ea256ea0b40afac31ca95d2119d30edd488d8ff3ce13b123421659e5a0583

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
122B

MD5
e6d92e5023b284fe5904d96217c6fe0d

SHA1
f76e3496a254e0c833de8c752f482c61a4124969

SHA256
3be687be14a0682924a2b24452a4e4e05fd2cb6635e73f797fdd91f2c0200541

SHA512
faf35c4cf3be7556c258b19d0fdf57093ea99c22318296b9143879caa90b23fd2fa6a300ca765fd048a889b5e0d74adc57217bd5c7147736015cea7e9fb957b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
29B

MD5
5ef6edd2053ba7dae1c9b137deddff92

SHA1
3f8a68838109ca0fa42e451aded13c1dcb5496e3

SHA256
4ef0b5f5085ee7b911b8f64a66c40c45cc3049b74e1e8154acc8338337ab717f

SHA512
f1a3a705e9d49ad6f1f4408a2cd2f7b1803c15ea0c2d7d1326e52e27689add38a5a718f87015697cfd4af043a64718f369e9a1e9276940c0304efcee3098572e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
1KB

MD5
c16d7b20fe46aa7928f70ce4fe0f6f8b

SHA1
1cfaae43fc18c998a4ab395331b2c5ed878b4ddf

SHA256
79ecf6bbc8d646e0940a30ede5190525d449f613b25e61109d9d9ba011047c23

SHA512
baf76262e47c9647277d6b60c8b3594d2b23927ae1922183574b2cf9d1580d71d5bb3281acc53ec5988c1b1ee7467bbe5a73f6e14f92fa6310e1fb833084fc2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tls\libeay32.dll

Filesize
1.3MB

MD5
fa5def992198121d4bb5ff3bde39fdc9

SHA1
f684152c245cc708fbaf4d1c0472d783b26c5b18

SHA256
5264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305

SHA512
4589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tls\ssleay32.dll

Filesize
330KB

MD5
2117e31688aef8ecf267978265bfcdcd

SHA1
e8c3cfd65ed7947f23b1bb0b66185e1e73913cfc

SHA256
0a4031ab00664cc5e202c8731798800f0475ef76800122cebd71d249655d725f

SHA512
dd03899429c2d542558e30c84a076d7e5dbde5128495954093a7031854c1df68f8ff8eca4c791144937288b084dd261fbe090c4ff9a3e0768e26f0616b474eca

Download Submit
C:\Users\Admin\Documents\remcos_a.exe

Filesize
428KB

MD5
42279a70179ee0979b53370bfa9ce9f7

SHA1
924772942d1a9498aeb0c4a17152afcb6abcd2ae

SHA256
a6fb7aae43dbe5a45409b33d1d45307dc7cc9821a71600ff45a5258bff8da91c

SHA512
146cbfa807a4b31082f781dfa83e127cf7dc3c1eee3af523a4d63b550634e1001e8180fbad5dc90407536307e5a7ff719aa3679a482188cbcfe0e530ee7de900

Download Submit
memory/1860-7-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/1860-6-0x00000000085C0000-0x00000000085C1000-memory.dmp

Filesize
4KB

Download
memory/1860-13-0x0000000000400000-0x00000000065DC000-memory.dmp

Filesize
97.9MB

Download
memory/1860-14-0x0000000000400000-0x00000000065DC000-memory.dmp

Filesize
97.9MB

Download
memory/1860-9-0x0000000000400000-0x00000000065DC000-memory.dmp

Filesize
97.9MB

Download
memory/1860-4-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/1860-5-0x00000000085B0000-0x00000000085B1000-memory.dmp

Filesize
4KB

Download
memory/1860-12-0x0000000000400000-0x00000000065DC000-memory.dmp

Filesize
97.9MB

Download
memory/1860-0-0x0000000000401000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/1860-8-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/1860-1-0x0000000006850000-0x0000000006851000-memory.dmp

Filesize
4KB

Download
memory/1860-2-0x0000000008560000-0x0000000008561000-memory.dmp

Filesize
4KB

Download
memory/1860-3-0x0000000008570000-0x0000000008571000-memory.dmp

Filesize
4KB

Download
memory/1860-284-0x0000000000400000-0x00000000065DC000-memory.dmp

Filesize
97.9MB

Download