remcos | d8457ca03fe0b01679373027ada4a1fce826baf104b5ae36834052508735d5bd

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 22:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

1.0MB
MD5

389e49fd591fbdbe272575573a922085
SHA1

2145dacbed53f6b64ea96938cff8758531961c1a
SHA256

24191589d733c928bce4654a950c0f6bd02b6675a78e47e22893e72d27067264
SHA512

74b957d349a3241143525a6085372b8131551de3c1df25b61dc4fbbb74a868234cb36c32db14a61ab6eb516258a85d551956c408e20c0523eaa7e8e1d2b19bd4
SSDEEP

24576:82+IxnXZC4MQdHAsU/O552srSCbBJwNQEwTtaMmVL:uIByQhK/Og6BKNQkdl

Score

10^/10

remcos discovery evasion persistence rat vmprotect

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sys.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Launcher.exe

Executes dropped EXE 1 IoCs

pid	Process
740	sys.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1196-0-0x0000000000400000-0x0000000000603000-memory.dmp	vmprotect
behavioral2/memory/1196-1-0x0000000000400000-0x0000000000603000-memory.dmp	vmprotect
behavioral2/memory/1196-9-0x0000000000400000-0x0000000000603000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023502-12.dat	vmprotect
behavioral2/memory/740-14-0x0000000000400000-0x0000000000603000-memory.dmp	vmprotect
behavioral2/memory/740-16-0x0000000000400000-0x0000000000603000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\Windows\\SysWOW64\\remcos\\sys.exe\""	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\Windows\\SysWOW64\\remcos\\sys.exe\""	sys.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\remcos\sys.exe	Launcher.exe
File opened for modification	C:\Windows\SysWOW64\remcos\sys.exe	Launcher.exe
File opened for modification	C:\Windows\SysWOW64\remcos	Launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2428	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2428	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1196	Launcher.exe
1196	Launcher.exe
740	sys.exe
740	sys.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1752	1196	Launcher.exe	84
PID 1196 wrote to memory of 1752	1196	Launcher.exe	84
PID 1196 wrote to memory of 1752	1196	Launcher.exe	84
PID 1752 wrote to memory of 2428	1752	cmd.exe	86
PID 1752 wrote to memory of 2428	1752	cmd.exe	86
PID 1752 wrote to memory of 2428	1752	cmd.exe	86
PID 1752 wrote to memory of 740	1752	cmd.exe	87
PID 1752 wrote to memory of 740	1752	cmd.exe	87
PID 1752 wrote to memory of 740	1752	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2428
- - C:\Windows\SysWOW64\remcos\sys.exe
    "C:\Windows\SysWOW64\remcos\sys.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:740

Network

DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

Response
DNS

hamareskids.ddns.net

sys.exe

Remote address:

8.8.8.8:53

Request

hamareskids.ddns.net

IN A

No results found

8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

132 B
126 B
2
1

DNS Request

hamareskids.ddns.net

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
126 B
1
1

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

132 B
252 B
2
2

DNS Request

hamareskids.ddns.net

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

132 B
252 B
2
2

DNS Request

hamareskids.ddns.net

DNS Request

hamareskids.ddns.net
8.8.8.8:53

hamareskids.ddns.net

dns

sys.exe

66 B
1

DNS Request

hamareskids.ddns.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
139B

MD5
843fadf88dbddfc1a2d3c21e989a8e5a

SHA1
c432ce68e04961580744b489daa452dc4d978a8d

SHA256
f3b8a0dabf78adbb6b6b3664877a4622fc3624b6a513879a00057767a86880b9

SHA512
e69b3334fe806ea17defb7eb6bfc4f8ca8186f12929cbbede3f563b900f38a2afcb2ef4045946b43c5e4cc682f24ddd158bfdfaf9f750cf00babd818fe7b090c

Download Submit
C:\Windows\SysWOW64\remcos\sys.exe

Filesize
1.0MB

MD5
389e49fd591fbdbe272575573a922085

SHA1
2145dacbed53f6b64ea96938cff8758531961c1a

SHA256
24191589d733c928bce4654a950c0f6bd02b6675a78e47e22893e72d27067264

SHA512
74b957d349a3241143525a6085372b8131551de3c1df25b61dc4fbbb74a868234cb36c32db14a61ab6eb516258a85d551956c408e20c0523eaa7e8e1d2b19bd4

Download Submit
memory/740-14-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/740-16-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1196-0-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1196-1-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1196-6-0x0000000076D40000-0x0000000076D41000-memory.dmp

Filesize
4KB

Download
memory/1196-9-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.