remcos | a91e0d462c3d7ee561707e53ee221532b4a8e189c34ab7e0998768029bc4c07f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IIMG1245950021323IMAGN09756912IMAGENVISTAPREVIA0129100011.exe
Size

1.0MB
MD5

f386cbc90a1eb84a3f6e287911320dfe
SHA1

cabe3ee72469a5cd4b68d3de461bc421082ae297
SHA256

59ccd48279374377ac38f767764df31243b433c33a0df39daf005d950b5efba8
SHA512

f8fd87da4ef78a2738922eb2e7c2b58f19efe3480328a9bd0ec9c1bef638418e15cfc6f5516855be2aef65d0916724ebb975b5fd4646c5b39691a5ec2d93bb69
SSDEEP

24576:LwgszDzEY4Ecy7DbDTafOuDZ/myydIESihr2eOkaHYmwmeBQSTG:u7r97D/TJuFbBN6ckaHYHVQGG

Score

10^/10

remcos decimo discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

DECIMO

decimoremcdns.duckdns.org:1011

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-EXFS95
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 5 IoCs

flow	pid	Process
39	4760	cmd.exe
42	4760	cmd.exe
46	4760	cmd.exe
54	4760	cmd.exe
55	4760	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4436	gamps.exe

Loads dropped DLL 1 IoCs

pid	Process
4436	gamps.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\cliconfg.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IIMG1245950021323IMAGN09756912IMAGENVISTAPREVIA0129100011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4436	gamps.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4436	gamps.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4760	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4436	4104	IIMG1245950021323IMAGN09756912IMAGENVISTAPREVIA0129100011.exe	86
PID 4104 wrote to memory of 4436	4104	IIMG1245950021323IMAGN09756912IMAGENVISTAPREVIA0129100011.exe	86
PID 4104 wrote to memory of 4436	4104	IIMG1245950021323IMAGN09756912IMAGENVISTAPREVIA0129100011.exe	86
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88
PID 4436 wrote to memory of 4760	4436	gamps.exe	88

C:\Users\Admin\AppData\Local\Temp\IIMG1245950021323IMAGN09756912IMAGENVISTAPREVIA0129100011.exe
"C:\Users\Admin\AppData\Local\Temp\IIMG1245950021323IMAGN09756912IMAGENVISTAPREVIA0129100011.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\gamps.exe
  C:\Users\Admin\AppData\Local\Temp\gamps.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Keystroke

Filesize
938KB

MD5
e57f5208e4a14649ea10092961df9b27

SHA1
710d337ae00da50d558962cf8f826d2ce3eb62f9

SHA256
242e61580f7d39a582fcc66d48cc41d6edb0941a01b4054d614c40ef7c87fd8e

SHA512
41a7785322eed67798caac24df3b2ff0eb750cc3220220ed1330242eaf6e074e1d8948edd50a2d5ff214290ee264d2f0254ce9a4d45a3ae264c3e6ce7a91f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\TowbarHamartia.DLL

Filesize
54KB

MD5
d65c8ac05fd814a0327588b6b485c43e

SHA1
5555dc0c343f857c4732683b4018a271b17a6ca0

SHA256
030bcfc5c4629fff97b77925e1650c9bb9b267c1018f2fc754f90afc143522e1

SHA512
a40aa752ba28afb4e4b40ebb551612a819876dde50414c9ff1c0bf6b46618ab9d7b459eca0262fc0b9a13a649123c37fede7b20db4b8f3344c81551041d86fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamps.exe

Filesize
39KB

MD5
f4392de13dfac4aa804152adbd93e793

SHA1
ee90e001945afde21dcd12d542f0eabb9f94f4a6

SHA256
31ae1165f008db6195108f984d3fe495f10c6ac4a5f74bd365102f84b57d9aba

SHA512
40bf82d364c757576c3d7897d6d7413b64089056a8279433b5d5a35ada7a01607754c29678afd9bada5934d49c26f800132d400c864b38234fba4017bcf01de4

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
c652b30b20467e80d14dc0a7b8e3592b

SHA1
1628f10fdf5af348e9c77c05d238fcedd8417420

SHA256
221096d6e590fdd005e8d195d60323fa41d889a09ab7551d137d14ba32390018

SHA512
c37ef460b3fad01b894a44b8259e79b3ab403d3458ba933388dd1c18cfeceadb71938dd235a8ece80173a888094795ef16aa2d4a1c7867edf7a9a0c1a8fc5366

Download Submit
memory/4436-26-0x0000000001F40000-0x0000000001F42000-memory.dmp

Filesize
8KB

Download
memory/4436-27-0x0000000001F50000-0x0000000001F5A000-memory.dmp

Filesize
40KB

Download
memory/4436-33-0x0000000077890000-0x00000000778F3000-memory.dmp

Filesize
396KB

Download
memory/4760-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4760-36-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/4760-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4760-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4760-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4760-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4760-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download