remcos | b3a40331524394846d2782f1e52e1410ce1681283f8c715373bab73c84fa30ec

General

Target

5e0f540fbed81efe0941f8949498c92c.exe
Size

964KB
MD5

5e0f540fbed81efe0941f8949498c92c
SHA1

d2712dbb06910cd272d57ca6926f815f23dc2cad
SHA256

b3a40331524394846d2782f1e52e1410ce1681283f8c715373bab73c84fa30ec
SHA512

8bdd8fa363883e9243f1266fe7746ad201084303a20c3c74a604587766cf3c89681f940a44b298b7c52b01f389353547031a82936af8898236b5f4214e9f45a6
SSDEEP

24576:oMyNWpDUsl0uHw8LXqBlxZ1QZNAkvpnFDv0eiV:CmAg0uHyjZaP3frC

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.67.163.218:2298

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HLZ36K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2140 powershell.exe
2884 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

5e0f540fbed81efe0941f8949498c92c.exe

description pid process target process

PID 2084 set thread context of 2764 2084 5e0f540fbed81efe0941f8949498c92c.exe 5e0f540fbed81efe0941f8949498c92c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2140	powershell.exe
2884	powershell.exe

description	pid	process	target process
PID 2084 set thread context of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exe5e0f540fbed81efe0941f8949498c92c.exe5e0f540fbed81efe0941f8949498c92c.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e0f540fbed81efe0941f8949498c92c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e0f540fbed81efe0941f8949498c92c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2752 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5e0f540fbed81efe0941f8949498c92c.exepowershell.exepowershell.exe

pid process

2084 5e0f540fbed81efe0941f8949498c92c.exe
2084 5e0f540fbed81efe0941f8949498c92c.exe
2140 powershell.exe
2884 powershell.exe

pid	process
2752	schtasks.exe

pid	process
2084	5e0f540fbed81efe0941f8949498c92c.exe
2084	5e0f540fbed81efe0941f8949498c92c.exe
2140	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5e0f540fbed81efe0941f8949498c92c.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2084	5e0f540fbed81efe0941f8949498c92c.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

5e0f540fbed81efe0941f8949498c92c.exe

description	pid	process	target process
PID 2084 wrote to memory of 2140	2084	5e0f540fbed81efe0941f8949498c92c.exe	powershell.exe
PID 2084 wrote to memory of 2140	2084	5e0f540fbed81efe0941f8949498c92c.exe	powershell.exe
PID 2084 wrote to memory of 2140	2084	5e0f540fbed81efe0941f8949498c92c.exe	powershell.exe
PID 2084 wrote to memory of 2140	2084	5e0f540fbed81efe0941f8949498c92c.exe	powershell.exe
PID 2084 wrote to memory of 2884	2084	5e0f540fbed81efe0941f8949498c92c.exe	powershell.exe
PID 2084 wrote to memory of 2884	2084	5e0f540fbed81efe0941f8949498c92c.exe	powershell.exe
PID 2084 wrote to memory of 2884	2084	5e0f540fbed81efe0941f8949498c92c.exe	powershell.exe
PID 2084 wrote to memory of 2884	2084	5e0f540fbed81efe0941f8949498c92c.exe	powershell.exe
PID 2084 wrote to memory of 2752	2084	5e0f540fbed81efe0941f8949498c92c.exe	schtasks.exe
PID 2084 wrote to memory of 2752	2084	5e0f540fbed81efe0941f8949498c92c.exe	schtasks.exe
PID 2084 wrote to memory of 2752	2084	5e0f540fbed81efe0941f8949498c92c.exe	schtasks.exe
PID 2084 wrote to memory of 2752	2084	5e0f540fbed81efe0941f8949498c92c.exe	schtasks.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe
PID 2084 wrote to memory of 2764	2084	5e0f540fbed81efe0941f8949498c92c.exe	5e0f540fbed81efe0941f8949498c92c.exe

C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe
"C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kQKXdTJmc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kQKXdTJmc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF42E.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe
  "C:\Users\Admin\AppData\Local\Temp\5e0f540fbed81efe0941f8949498c92c.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF42E.tmp

Filesize
1KB

MD5
0b905fb8552cb35b1f99f227c1de5dbc

SHA1
7c88c56119ea0422534546bbf93730d621d3fb9a

SHA256
82f86b38d602ba32cf0d4eb86da6ec860193c4e337b2e823568fad33db80b597

SHA512
d24844cf84af2a3178e6aca48a4762c1ac8837c9fb94c19878dd56f719e0b91e0f15389595b65a7249f07d2a8745d71225a192ec5c2f3cb5b84bd0852dd6def3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DMXQUZ67XXLQCD40ESYI.temp

Filesize
7KB

MD5
dd1e4d720806ab38ec2a1e64d7ab7be4

SHA1
a3afbaae42c8b67047f78c616eb815c0d93f86ca

SHA256
945e1569a0a97d4953a8a4235d2f716f3c42734a3a64563a338582f869a4df76

SHA512
f1dc26ea5b655e56186064cc5481c2b8fdb17d1a6c83a695157d9b5caa61e92be02e9c8e1026362d6057399ca742920391f64da4878a6bd66ec5eb1283be39b8

Download Submit
memory/2084-36-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-1-0x0000000000FA0000-0x0000000001096000-memory.dmp

Filesize
984KB

Download
memory/2084-2-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-3-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/2084-4-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/2084-5-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-6-0x0000000005FE0000-0x00000000060A4000-memory.dmp

Filesize
784KB

Download
memory/2084-0-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/2764-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-35-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads