remcos | 25d5aa81d0fc186731633e54266294d668b03501342a2d980f826c694c8b068d

General

Target

NVCleanstall_1.16.0/NVCleanstall_1.16.0.exe
Size

3.0MB
MD5

d59e26ffa02d0b9a489544eb85cc743c
SHA1

377fb52dd65faa8b3ad04dce032932f1d5f3ff24
SHA256

fbb5b3960cf51f5c4cdeee63af58abb17f65f4b7849a07d694e21f39fc78819f
SHA512

e5baf062e706c18b6cb12293d37307d2b9e83c20c4f79ffdb8e50276538ab3bb7250f357c8cb4249529cec7fd0534dd2006239c0c871274a56a3ffd1f10d7acf
SSDEEP

49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338Z:t92bz2Eb6pd7B6bAGx7n333+

Score

10^/10

remcos new discovery rat

Malware Config

Extracted

Family

remcos

Botnet

New

C2

95.217.148.142:9004

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
SSS1ooosSAweewwe-X6B4E4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Executes dropped EXE 3 IoCs

Processes:

NVCleanstall_1.16.0.exescr_previw.exescr_previw.exe

pid process

2916 NVCleanstall_1.16.0.exe
2828 scr_previw.exe
3008 scr_previw.exe
Loads dropped DLL 6 IoCs

Processes:

NVCleanstall_1.16.0.exescr_previw.exescr_previw.execmd.exe

pid process

2660 NVCleanstall_1.16.0.exe
2660 NVCleanstall_1.16.0.exe
2828 scr_previw.exe
2828 scr_previw.exe
3008 scr_previw.exe
3052 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

scr_previw.exe

description pid process target process

PID 3008 set thread context of 3052 3008 scr_previw.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2916	NVCleanstall_1.16.0.exe
2828	scr_previw.exe
3008	scr_previw.exe

pid	process
2660	NVCleanstall_1.16.0.exe
2660	NVCleanstall_1.16.0.exe
2828	scr_previw.exe
2828	scr_previw.exe
3008	scr_previw.exe
3052	cmd.exe

description	pid	process	target process
PID 3008 set thread context of 3052	3008	scr_previw.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NVCleanstall_1.16.0.exescr_previw.exescr_previw.execmd.exeexplorer.exeNVCleanstall_1.16.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVCleanstall_1.16.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVCleanstall_1.16.0.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

NVCleanstall_1.16.0.exescr_previw.exescr_previw.execmd.exe

pid process

2660 NVCleanstall_1.16.0.exe
2660 NVCleanstall_1.16.0.exe
2828 scr_previw.exe
3008 scr_previw.exe
3008 scr_previw.exe
3052 cmd.exe
3052 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

scr_previw.execmd.exe

pid process

3008 scr_previw.exe
3052 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NVCleanstall_1.16.0.exe

description pid process

Token: SeShutdownPrivilege 2916 NVCleanstall_1.16.0.exe
Token: SeDebugPrivilege 2916 NVCleanstall_1.16.0.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NVCleanstall_1.16.0.exe

pid process

2660 NVCleanstall_1.16.0.exe

pid	process
2660	NVCleanstall_1.16.0.exe
2660	NVCleanstall_1.16.0.exe
2828	scr_previw.exe
3008	scr_previw.exe
3008	scr_previw.exe
3052	cmd.exe
3052	cmd.exe

pid	process
3008	scr_previw.exe
3052	cmd.exe

description	pid	process
Token: SeShutdownPrivilege	2916	NVCleanstall_1.16.0.exe
Token: SeDebugPrivilege	2916	NVCleanstall_1.16.0.exe

pid	process
2660	NVCleanstall_1.16.0.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

NVCleanstall_1.16.0.exeNVCleanstall_1.16.0.exescr_previw.exescr_previw.execmd.exe

description	pid	process	target process
PID 2232 wrote to memory of 2660	2232	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2232 wrote to memory of 2660	2232	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2232 wrote to memory of 2660	2232	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2232 wrote to memory of 2660	2232	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2232 wrote to memory of 2660	2232	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2232 wrote to memory of 2660	2232	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2232 wrote to memory of 2660	2232	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2660 wrote to memory of 2916	2660	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2660 wrote to memory of 2916	2660	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2660 wrote to memory of 2916	2660	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2660 wrote to memory of 2916	2660	NVCleanstall_1.16.0.exe	NVCleanstall_1.16.0.exe
PID 2660 wrote to memory of 2828	2660	NVCleanstall_1.16.0.exe	scr_previw.exe
PID 2660 wrote to memory of 2828	2660	NVCleanstall_1.16.0.exe	scr_previw.exe
PID 2660 wrote to memory of 2828	2660	NVCleanstall_1.16.0.exe	scr_previw.exe
PID 2660 wrote to memory of 2828	2660	NVCleanstall_1.16.0.exe	scr_previw.exe
PID 2828 wrote to memory of 3008	2828	scr_previw.exe	scr_previw.exe
PID 2828 wrote to memory of 3008	2828	scr_previw.exe	scr_previw.exe
PID 2828 wrote to memory of 3008	2828	scr_previw.exe	scr_previw.exe
PID 2828 wrote to memory of 3008	2828	scr_previw.exe	scr_previw.exe
PID 3008 wrote to memory of 3052	3008	scr_previw.exe	cmd.exe
PID 3008 wrote to memory of 3052	3008	scr_previw.exe	cmd.exe
PID 3008 wrote to memory of 3052	3008	scr_previw.exe	cmd.exe
PID 3008 wrote to memory of 3052	3008	scr_previw.exe	cmd.exe
PID 3008 wrote to memory of 3052	3008	scr_previw.exe	cmd.exe
PID 3052 wrote to memory of 1720	3052	cmd.exe	explorer.exe
PID 3052 wrote to memory of 1720	3052	cmd.exe	explorer.exe
PID 3052 wrote to memory of 1720	3052	cmd.exe	explorer.exe
PID 3052 wrote to memory of 1720	3052	cmd.exe	explorer.exe
PID 3052 wrote to memory of 1720	3052	cmd.exe	explorer.exe
PID 3052 wrote to memory of 1720	3052	cmd.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
  "C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
    "C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Users\Admin\AppData\Roaming\scr_previw.exe
    "C:\Users\Admin\AppData\Roaming\scr_previw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
      C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1FB3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e84b8ff

Filesize
1.2MB

MD5
e68cf1c314dacb088d66431920f3960c

SHA1
028c1c93f1a6d1a3b7df08ac7789c82c100dcb96

SHA256
94a326b686ad4a85f1ab8ece71743fda5898add578615de4507964f69b060085

SHA512
e38a0a6e0b2413adfa4b8f743cf04c5a41a78cbc6b41b4ecd4bddd92e759d01cabea731a923945cd82805c23e2634b7c5fad606cdcb9c1860df31866289459ec

Download Submit
C:\Users\Admin\AppData\Roaming\cygrt

Filesize
947KB

MD5
a727c368e3a6c273f28c80607f2df861

SHA1
a31a2b4a4677d58bf9f7126da6dedaf4502eb283

SHA256
bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca

SHA512
b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

Download Submit
C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

Filesize
1.9MB

MD5
e8ad346c114fda96fca288966eae8e92

SHA1
fdfad7f2030b54f076b2a2e24ef1199abf2588e6

SHA256
7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0

SHA512
d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

Download Submit
C:\Users\Admin\AppData\Roaming\gbxchd

Filesize
15KB

MD5
162ba47ec20e7fb580672579a6fef9d2

SHA1
a6b52b8f549ca44ffe821f65e846b869da544c28

SHA256
227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159

SHA512
135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

Download Submit
\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

Filesize
3.8MB

MD5
41421866b825dbdcc5f29a0bbd484362

SHA1
f7637ef22c82a108ab4668baca40e4f03eb49a5c

SHA256
efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1

SHA512
72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d

Download Submit
\Users\Admin\AppData\Roaming\scr_previw.exe

Filesize
2.2MB

MD5
d9530ecee42acccfd3871672a511bc9e

SHA1
89b4d2406f1294bd699ef231a4def5f495f12778

SHA256
81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280

SHA512
d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

Download Submit
memory/1720-133-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-129-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-122-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-121-0x0000000077C30000-0x0000000077DD9000-memory.dmp

Filesize
1.7MB

Download
memory/1720-125-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-124-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-132-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-131-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-130-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-134-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-126-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-128-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1720-127-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2232-3-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2232-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2660-25-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2828-34-0x0000000077C30000-0x0000000077DD9000-memory.dmp

Filesize
1.7MB

Download
memory/2828-32-0x0000000074DF0000-0x0000000074F64000-memory.dmp

Filesize
1.5MB

Download
memory/2916-33-0x000000001B400000-0x000000001B9C0000-memory.dmp

Filesize
5.8MB

Download
memory/2916-72-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2916-48-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2916-49-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2916-47-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2916-29-0x0000000000EA0000-0x0000000001264000-memory.dmp

Filesize
3.8MB

Download
memory/3008-69-0x0000000074C70000-0x0000000074DE4000-memory.dmp

Filesize
1.5MB

Download
memory/3008-52-0x0000000077C30000-0x0000000077DD9000-memory.dmp

Filesize
1.7MB

Download
memory/3008-51-0x0000000074C70000-0x0000000074DE4000-memory.dmp

Filesize
1.5MB

Download
memory/3052-119-0x0000000074C70000-0x0000000074DE4000-memory.dmp

Filesize
1.5MB

Download
memory/3052-73-0x0000000077C30000-0x0000000077DD9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing