remcos | 006c0bd65cc425c603245329985cd9cb8cc5cfc5e5c9e3a0ceb57821a9cf6687

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AS SSD Benchmark/AS SSD Benchmark.exe
Size

3.0MB
MD5

21a40379bddf7cb18e1257f6824f3ab5
SHA1

72e1a8ae2edf6ef7263f7a6f8fc19c408b5ad375
SHA256

a39bc3ae11d38dc3d03e890c4d700c94f20b8997bfa0aa6775d2a5d0efa43240
SHA512

0e2215449a249bbaadf65569698e044a6caa3e08ac9cb1186ccb063d3b1d0c1a0920eff275186b37e8c3800a7badec3bf371cea45dc2eae6561469042f77aaf5
SSDEEP

49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338O:t92bz2Eb6pd7B6bAGx7n3335

Score

10^/10

remcos new discovery rat upx

Malware Config

Extracted

Family

remcos

Botnet

New

95.217.148.142:9001

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
SSS1ooosSAweewwe-E84JZY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 3 IoCs

pid	Process
2184	AS SSD Benchmark.exe
2828	DeAct.exe
1152	DeAct.exe

Loads dropped DLL 20 IoCs

pid	Process
2124	AS SSD Benchmark.exe
2124	AS SSD Benchmark.exe
2828	DeAct.exe
2828	DeAct.exe
2828	DeAct.exe
2828	DeAct.exe
2828	DeAct.exe
2828	DeAct.exe
2828	DeAct.exe
2828	DeAct.exe
2828	DeAct.exe
1152	DeAct.exe
1152	DeAct.exe
1152	DeAct.exe
1152	DeAct.exe
1152	DeAct.exe
1152	DeAct.exe
1152	DeAct.exe
1152	DeAct.exe
2348	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 2348	1152	DeAct.exe	34

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019d8e-34.dat	upx
behavioral1/memory/2828-39-0x000000013FC40000-0x000000013FCBD000-memory.dmp	upx
behavioral1/memory/1152-80-0x000000013F7D0000-0x000000013F84D000-memory.dmp	upx
behavioral1/memory/2828-78-0x000000013FC40000-0x000000013FCBD000-memory.dmp	upx
behavioral1/memory/1152-104-0x000000013F7D0000-0x000000013F84D000-memory.dmp	upx
behavioral1/memory/2348-152-0x0000000000330000-0x0000000000340000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AS SSD Benchmark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AS SSD Benchmark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2124	AS SSD Benchmark.exe
2124	AS SSD Benchmark.exe
2828	DeAct.exe
1152	DeAct.exe
1152	DeAct.exe
2348	cmd.exe
2348	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2184	AS SSD Benchmark.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1152	DeAct.exe
2348	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	AS SSD Benchmark.exe
Token: SeIncBasePriorityPrivilege	2184	AS SSD Benchmark.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	AS SSD Benchmark.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2124	2440	AS SSD Benchmark.exe	30
PID 2440 wrote to memory of 2124	2440	AS SSD Benchmark.exe	30
PID 2440 wrote to memory of 2124	2440	AS SSD Benchmark.exe	30
PID 2440 wrote to memory of 2124	2440	AS SSD Benchmark.exe	30
PID 2440 wrote to memory of 2124	2440	AS SSD Benchmark.exe	30
PID 2440 wrote to memory of 2124	2440	AS SSD Benchmark.exe	30
PID 2440 wrote to memory of 2124	2440	AS SSD Benchmark.exe	30
PID 2124 wrote to memory of 2184	2124	AS SSD Benchmark.exe	31
PID 2124 wrote to memory of 2184	2124	AS SSD Benchmark.exe	31
PID 2124 wrote to memory of 2184	2124	AS SSD Benchmark.exe	31
PID 2124 wrote to memory of 2184	2124	AS SSD Benchmark.exe	31
PID 2124 wrote to memory of 2828	2124	AS SSD Benchmark.exe	32
PID 2124 wrote to memory of 2828	2124	AS SSD Benchmark.exe	32
PID 2124 wrote to memory of 2828	2124	AS SSD Benchmark.exe	32
PID 2124 wrote to memory of 2828	2124	AS SSD Benchmark.exe	32
PID 2828 wrote to memory of 1152	2828	DeAct.exe	33
PID 2828 wrote to memory of 1152	2828	DeAct.exe	33
PID 2828 wrote to memory of 1152	2828	DeAct.exe	33
PID 1152 wrote to memory of 2348	1152	DeAct.exe	34
PID 1152 wrote to memory of 2348	1152	DeAct.exe	34
PID 1152 wrote to memory of 2348	1152	DeAct.exe	34
PID 1152 wrote to memory of 2348	1152	DeAct.exe	34
PID 1152 wrote to memory of 2348	1152	DeAct.exe	34
PID 2348 wrote to memory of 1104	2348	cmd.exe	37
PID 2348 wrote to memory of 1104	2348	cmd.exe	37
PID 2348 wrote to memory of 1104	2348	cmd.exe	37
PID 2348 wrote to memory of 1104	2348	cmd.exe	37
PID 2348 wrote to memory of 1104	2348	cmd.exe	37
PID 2348 wrote to memory of 1104	2348	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\AS SSD Benchmark\AS SSD Benchmark.exe
"C:\Users\Admin\AppData\Local\Temp\AS SSD Benchmark\AS SSD Benchmark.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\AS SSD Benchmark\AS SSD Benchmark.exe
  "C:\Users\Admin\AppData\Local\Temp\AS SSD Benchmark\AS SSD Benchmark.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Roaming\AS SSD Benchmark\AS SSD Benchmark.exe
    "C:\Users\Admin\AppData\Roaming\AS SSD Benchmark\AS SSD Benchmark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Users\Admin\AppData\Roaming\DeAct.exe
    "C:\Users\Admin\AppData\Roaming\DeAct.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
      C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AS-SSD-TEST42\test11.bin

Filesize
16.0MB

MD5
30e6bff5a62a2e223fea3a65fee7bf7f

SHA1
6e7e4aeba6ea7597a6081115aa8e24dd9bd06720

SHA256
953743181230480fbd9c2b6ab5d84e2db995860a59ff6c4b4b3686ba0cefaea7

SHA512
f984d4e9b7d9721c495aeebaa27c544e894afcc6eed5825e87a53defee719d07f1813256f0bbe338809856f1fef16edc2730239412678975d1f40fba6ab9e068

Download Submit
C:\AS-SSD-TEST42\test28.bin

Filesize
16.0MB

MD5
9471e7a0743c49497275b58e21e0ead2

SHA1
d5f2088f6a51ebc93085bd7afac0d5aa5e766dc0

SHA256
ffea17cd98988e0b1c0fc20d82cac9d935202681e8d07cd789bf9c9ee5864a8e

SHA512
514dff655555af4f3cc477735d6346d7ac0e8ec13e3bbc2f4d1bf54eb53f3f6292aab5770e8cac11b36c49b22fe62a221ea822f94856ab3b2276497e8a186840

Download Submit
C:\AS-SSD-TEST42\test38.bin

Filesize
16.0MB

MD5
abdfdd6776111859cd39cf82c15d2898

SHA1
8e6b7d4726f0f4a729366af6a9cf042b61f86169

SHA256
9a1b887135bd49f0638162f896f7c864088ee4fbcb751a1ce5f743186499af00

SHA512
ae447c211f3251495718998b21c56c68e6c3674307199908e2c1923f4fe3a7921f6b19b2715ecddfefd64908a240c3d10562196bd38857429e226290d8948a9d

Download Submit
C:\AS-SSD-TEST42\test45.bin

Filesize
16.0MB

MD5
bbc1599917977a14b7d60952d890e199

SHA1
20e949a8f98fd69807e66e7b18a696333aa55145

SHA256
1d134f5ab593af7132e026078ac908eb13449a2c38993dd513e398b2fd5dda01

SHA512
41cbb456de95539023ca8b19ac38af22ec7ee615557a1b711111aea16566c0ad9ad21e561aedb0bc76a3548f97369f9209aaf4be1800a93fe2868e5c6db3335a

Download Submit
C:\AS-SSD-TEST42\test58.bin

Filesize
16.0MB

MD5
d70b5caf4ee1bcd57c8cc6c111281727

SHA1
a99b3b1aa1acb428444eef56c26826bb0897a38c

SHA256
f5f7e0e22536c51148311a754a6283b04f468c39536e81627be1f0e2625c4a5a

SHA512
9e04ff739f8d960ad2b445aaa9910b8c8d8b57025bc608eb1b65f627c1801264eefd4eea3032f3afd091273725a0bbc558b5e96353af748b854a723aca6103d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d601a3f9

Filesize
1.2MB

MD5
672d2752388d9e4de2cd54bc09cd29e4

SHA1
fc160d55398a4a09b9c6b1e8895c2c09a3ca1d0e

SHA256
6e8c6ef8a4902aee614795110e67cc774367ad1fca41b02eb3e31fec99766c9c

SHA512
1236c32d4dc1cf94af1212ccdbc54dde28599ad3ee02d3efed3e6b2bdd5da332bce66883d5fba75f02da69ba6d4c08349a2b3e140000ef34fd2bec08b77c2159

Download Submit
C:\Users\Admin\AppData\Roaming\MSVCP140.dll

Filesize
557KB

MD5
7db24201efea565d930b7ec3306f4308

SHA1
880c8034b1655597d0eebe056719a6f79b60e03c

SHA256
72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e

SHA512
bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e

Download Submit
C:\Users\Admin\AppData\Roaming\Qt5Core.dll

Filesize
5.8MB

MD5
2be4a1cf7511bbb244fe323af4f117d2

SHA1
a7e79fae4522bad1c05c865c07acfa91028598a8

SHA256
7d6375d15e38ce9b3814089215d3969ce5430f83d01bd6519e2cbd1eb8d48b40

SHA512
7fb194433d15a6577e90d33dbeb2a64942585c82b46f120eec0f4e93b09f8895e37a1dd4c09a4273127b0f7f9985ab69b1fba524fa9068e19d9952888a2aaf5f

Download Submit
C:\Users\Admin\AppData\Roaming\Qt5Gui.dll

Filesize
6.2MB

MD5
34893cb3d9a2250f0edecd68aedb72c7

SHA1
37161412df2c1313a54749fe6f33e4dbf41d128a

SHA256
ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34

SHA512
484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c

Download Submit
C:\Users\Admin\AppData\Roaming\Qt5Network.dll

Filesize
1.3MB

MD5
fe5ed4c5da03077f98c3efa91ecefd81

SHA1
e23e839ec0602662788f761ebe7dd4b39c018a7f

SHA256
d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b

SHA512
22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071

Download Submit
C:\Users\Admin\AppData\Roaming\Qt5PrintSupport.dll

Filesize
316KB

MD5
d0634933db2745397a603d5976bee8e7

SHA1
ddec98433bcfec1d9e38557d803bc73e1ff883b6

SHA256
7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1

SHA512
9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1

Download Submit
C:\Users\Admin\AppData\Roaming\Qt5Widgets.dll

Filesize
5.3MB

MD5
c502bb8a4a7dc3724ab09292cd3c70d6

SHA1
ff44fddeec2d335ec0eaa861714b561f899675fd

SHA256
4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d

SHA512
73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617

Download Submit
C:\Users\Admin\AppData\Roaming\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\mpidcu

Filesize
58KB

MD5
7bd89ff94b0a9abd5e989bece470730b

SHA1
531b309cdbec7ad61ba9ffca6f688012fdb8acc1

SHA256
90e70abbdd35d7fd3818770eca3030e477526b483128caf1eedbe1ba147f0e82

SHA512
ea930b15d9f6f321e4919db40aca5e2ae92cdc09d9b07d8c7f3170e825d32abe2fa766df1014f4ebbe54c92de27507fef730062ea7defaf9704bf4f2ac84117f

Download Submit
C:\Users\Admin\AppData\Roaming\uarrwmx

Filesize
947KB

MD5
2c7353da4574e3bb2d66965717d45001

SHA1
5fc5523ee0b685e602707b4f5f98f657454743f5

SHA256
7652be5fde7c4dec0b4afa5eed98c3f1dd0e268376694bf37299e7e5f9ce290c

SHA512
4239d3e02dbfbfd7b60f7bed2d11780c6c7912e4ea1a653a56402c2584371a1517804e7f85afaea32043c904fc47fe60ccbb11cf6887cb30fd8518aef01ff480

Download Submit
\Users\Admin\AppData\Roaming\AS SSD Benchmark\AS SSD Benchmark.exe

Filesize
440KB

MD5
1da872a685a597b4d1f18a28abd28a64

SHA1
01ab8a1c70245e7a10144f362f18c446dc5e3419

SHA256
4e7caced7dc31493fb6b5f4917da163c6e9e61f0b16906a6e70b2a242fdcea8d

SHA512
127632dfc98a02977f9dbd52ca9689d75b6aebc2dc881579f1b6605d9a02373fbec7e25c2bda3c0c93e855dafaf74259485de04935eaa522fef826cc87701eab

Download Submit
\Users\Admin\AppData\Roaming\DeAct.exe

Filesize
304KB

MD5
411cd1175b5e21b6a3c6a72c34e8773c

SHA1
faabd22ddca0062dd3d7bc534e49078ee5d84be8

SHA256
116b75d94dacf676931ff8623a0b34f3ea75b52d67b0494fefd1b8dce6bc121a

SHA512
6414d174a17edf813bb7f739b9d625c4489dd4a45c56932fad7f222a2b8ea646fd2316cdba4e421225cbdf4aeb245329aa5bb3034e2b54e3859dcd89c7d1dd90

Download Submit
\Users\Admin\AppData\Roaming\vcruntime140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
memory/1104-175-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-235-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-377-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-310-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-303-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-276-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-210-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-187-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-174-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-173-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-170-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-168-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1104-167-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/1152-101-0x000007FEEF300000-0x000007FEEF458000-memory.dmp

Filesize
1.3MB

Download
memory/1152-80-0x000000013F7D0000-0x000000013F84D000-memory.dmp

Filesize
500KB

Download
memory/1152-104-0x000000013F7D0000-0x000000013F84D000-memory.dmp

Filesize
500KB

Download
memory/1152-96-0x000007FEF3880000-0x000007FEF3DCE000-memory.dmp

Filesize
5.3MB

Download
memory/1152-99-0x000007FEEF300000-0x000007FEEF458000-memory.dmp

Filesize
1.3MB

Download
memory/2124-36-0x0000000003BB0000-0x0000000003C2D000-memory.dmp

Filesize
500KB

Download
memory/2124-40-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2184-52-0x0000000000D80000-0x0000000000DF4000-memory.dmp

Filesize
464KB

Download
memory/2348-152-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2348-164-0x0000000074B80000-0x0000000074CF4000-memory.dmp

Filesize
1.5MB

Download
memory/2348-112-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2348-165-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2440-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2440-3-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2828-39-0x000000013FC40000-0x000000013FCBD000-memory.dmp

Filesize
500KB

Download
memory/2828-58-0x000007FEF39D0000-0x000007FEF3F1E000-memory.dmp

Filesize
5.3MB

Download
memory/2828-61-0x000007FEF36A0000-0x000007FEF37F8000-memory.dmp

Filesize
1.3MB

Download
memory/2828-78-0x000000013FC40000-0x000000013FCBD000-memory.dmp

Filesize
500KB

Download