remcos | da07ea710e848805416f93369b7b6e90d0c1b66cbb80ead60c7d46d6d8efd3be

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe
Size

778KB
MD5

6ec62d2feca20ea0d9c8730aa3f660e3
SHA1

5386d98ec0d08febf713058df774e9e6044c9080
SHA256

e6b58687faf8165eb9f34872e6dd9df1a97e527a1c9765b698be615e72f368e0
SHA512

6017f06cc445a45cf7f57e131e682fb2f5c56c35bbb1884e3759a44cadb559ea6ca51851808fb2012e3de1f28bdfbb52a35301706468f67ef0f85494fe474aeb
SSDEEP

24576:LwuySQX1XbJzkbtccJ7tQB/9ksYwSQvf8os+q:L5QdbJzFAtKksnSQv+7

Score

10^/10

remcos decimo discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

DECIMO

decimoremcdns.duckdns.org:1011

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-EXFS95
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 5 IoCs

flow	pid	Process
37	2484	cmd.exe
43	2484	cmd.exe
46	2484	cmd.exe
51	2484	cmd.exe
52	2484	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2180	paperings.exe

Loads dropped DLL 1 IoCs

pid	Process
2180	paperings.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\sfc.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paperings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2180	paperings.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2180	paperings.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2180	4852	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe	82
PID 4852 wrote to memory of 2180	4852	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe	82
PID 4852 wrote to memory of 2180	4852	IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe	82
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87
PID 2180 wrote to memory of 2484	2180	paperings.exe	87

C:\Users\Admin\AppData\Local\Temp\IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe
"C:\Users\Admin\AppData\Local\Temp\IMANG59293021IMAGN2944592302VISTAVPREVIA023102.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\paperings.exe
  C:\Users\Admin\AppData\Local\Temp\paperings.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Keystroke

Filesize
645KB

MD5
5c9b2fdeda32f5e7c5dba14db7d405f1

SHA1
0616c4b7aade47f8a7a110222cf21b40a9138540

SHA256
0376fa7850a8e22086b054e55a626633f5376e5a1639eb10799ae68a1f64493d

SHA512
42fa024108e621cfdeae5b888597d635ed6a60465a174e1d2c8145465bda8fdc45809cb231a651d182414d39a2e21402fa2c50e711efaa29c37cde9154c19f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\TowbarHamartia.DLL

Filesize
54KB

MD5
d65c8ac05fd814a0327588b6b485c43e

SHA1
5555dc0c343f857c4732683b4018a271b17a6ca0

SHA256
030bcfc5c4629fff97b77925e1650c9bb9b267c1018f2fc754f90afc143522e1

SHA512
a40aa752ba28afb4e4b40ebb551612a819876dde50414c9ff1c0bf6b46618ab9d7b459eca0262fc0b9a13a649123c37fede7b20db4b8f3344c81551041d86fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\paperings.exe

Filesize
39KB

MD5
f4392de13dfac4aa804152adbd93e793

SHA1
ee90e001945afde21dcd12d542f0eabb9f94f4a6

SHA256
31ae1165f008db6195108f984d3fe495f10c6ac4a5f74bd365102f84b57d9aba

SHA512
40bf82d364c757576c3d7897d6d7413b64089056a8279433b5d5a35ada7a01607754c29678afd9bada5934d49c26f800132d400c864b38234fba4017bcf01de4

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
c29fe46d8d14556f6e83a2b22a271d03

SHA1
ea713e6daa511c2d246950a62c115d822f15ae72

SHA256
d578c928c4f0dbffde8cf13f4b79549c7090f5cefbb29b7b7bd131dc5aa5c5d5

SHA512
60dd080743ae1ecc2e9598e1edba41ab5150f8e879784a505edc5d075312b614eb8a28a67d5403e974e8607d35d0f8c3d2f1c7570dfc4b9c9f33ca2ff24f0319

Download Submit
memory/2180-32-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/2180-26-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2180-33-0x0000000075B50000-0x0000000075BB3000-memory.dmp

Filesize
396KB

Download
memory/2484-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2484-36-0x0000000000980000-0x0000000000986000-memory.dmp

Filesize
24KB

Download
memory/2484-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2484-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2484-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2484-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2484-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download