remcos | c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
Size

908KB
MD5

1cb86400147c835af58017f0474c5bcc
SHA1

ac285cb623bf292341068dead954cfed9a1f8c81
SHA256

c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61
SHA512

ce74f39d092b13570f9387e5d43ced748dea9557e8887fc072694a2cf448b2c4cf741db3e76d551ebef3511b906ae1cbe0fe670f8968e51d1441982ec73b9b0c
SSDEEP

24576:Nqho7Y33wd4D5N4UmVFruPkMKXbY31qKblvh:y1Hwd4FN4UoFqjKXboTp5

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

206.189.218.238:4782

206.189.218.238:2286

206.189.218.238:3363

206.189.218.238:3386

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NJK093
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
1940	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
532	remcos.exe
1424	remcos.exe
1760	remcos.exe
1796	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
2544	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 532 set thread context of 1796	532	remcos.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2568	schtasks.exe
1140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
2576	powershell.exe
532	remcos.exe
532	remcos.exe
1940	powershell.exe
532	remcos.exe
532	remcos.exe
532	remcos.exe
532	remcos.exe
532	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	532	remcos.exe
Token: SeDebugPrivilege	1940	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1796	remcos.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2576	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	30
PID 2440 wrote to memory of 2576	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	30
PID 2440 wrote to memory of 2576	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	30
PID 2440 wrote to memory of 2576	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	30
PID 2440 wrote to memory of 2568	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	31
PID 2440 wrote to memory of 2568	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	31
PID 2440 wrote to memory of 2568	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	31
PID 2440 wrote to memory of 2568	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	31
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2440 wrote to memory of 2544	2440	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	34
PID 2544 wrote to memory of 532	2544	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	35
PID 2544 wrote to memory of 532	2544	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	35
PID 2544 wrote to memory of 532	2544	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	35
PID 2544 wrote to memory of 532	2544	c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe	35
PID 532 wrote to memory of 1940	532	remcos.exe	37
PID 532 wrote to memory of 1940	532	remcos.exe	37
PID 532 wrote to memory of 1940	532	remcos.exe	37
PID 532 wrote to memory of 1940	532	remcos.exe	37
PID 532 wrote to memory of 1140	532	remcos.exe	38
PID 532 wrote to memory of 1140	532	remcos.exe	38
PID 532 wrote to memory of 1140	532	remcos.exe	38
PID 532 wrote to memory of 1140	532	remcos.exe	38
PID 532 wrote to memory of 1424	532	remcos.exe	41
PID 532 wrote to memory of 1424	532	remcos.exe	41
PID 532 wrote to memory of 1424	532	remcos.exe	41
PID 532 wrote to memory of 1424	532	remcos.exe	41
PID 532 wrote to memory of 1760	532	remcos.exe	42
PID 532 wrote to memory of 1760	532	remcos.exe	42
PID 532 wrote to memory of 1760	532	remcos.exe	42
PID 532 wrote to memory of 1760	532	remcos.exe	42
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43
PID 532 wrote to memory of 1796	532	remcos.exe	43

C:\Users\Admin\AppData\Local\Temp\c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
"C:\Users\Admin\AppData\Local\Temp\c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWrixkEbVc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWrixkEbVc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe
  "C:\Users\Admin\AppData\Local\Temp\c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWrixkEbVc.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWrixkEbVc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1140
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      PID:1424
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      PID:1760
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
df731cd00d7a9ac4689a4329aa0aad2d

SHA1
efad781f5f84e6f0bce4f9a9676ab7987a34817f

SHA256
0325750528488af226860bed80e3fdd503c23ed23bce2779f1304845515ec9be

SHA512
ccf56acbc6a4e451d77afac2419662869a0cfbf348a3aaa2f73bb9af52c51c49fff3e53cad214f4ae8ffe61a6eba2f137298ded2be30b3e203d587aa9f7048fe

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
908KB

MD5
1cb86400147c835af58017f0474c5bcc

SHA1
ac285cb623bf292341068dead954cfed9a1f8c81

SHA256
c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61

SHA512
ce74f39d092b13570f9387e5d43ced748dea9557e8887fc072694a2cf448b2c4cf741db3e76d551ebef3511b906ae1cbe0fe670f8968e51d1441982ec73b9b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp

Filesize
1KB

MD5
17158e13f626ccd6e464b01e08e19f70

SHA1
21571bae1525c0407e4464506a27e2722cf95e98

SHA256
49888d694368f46e9c028940a1f1444d1aaec6e76c7c1f6a430c5f030697ce2b

SHA512
ccdc2568cc69a3ccc34ad95d766f9606b27f88900120d98f06f21931146246288229b5ec88d4b588eea6e42a044298e06a9adbf5d21eb82f2ee42a68b6ef06ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3LTMKA87WZYJB3399USZ.temp

Filesize
7KB

MD5
a5d63d13d41097c0c509a4df51212323

SHA1
14870391941d075b6da295927541a313cb6105e4

SHA256
d37971180897652a1fbc3e127bc62562147e9535bf70d529afcc226cb2740c46

SHA512
a127e91754043cb12fb6a975df1792e692ea9a9aae654a2a01493a3b57d2301f0b0aceb767cd432c50b42fb406164ab81160c6ac4c4a373d3c05b65f9db59559

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f3584a82ab5eebbba42786863d7c4f7d

SHA1
ff04f35b024ad1b053fa6e7e7126e3f6ac11f7c0

SHA256
be64dfa1a2e3ca3f5d4d5d6eba237c58eb23f372433eb4769c346d4517e18818

SHA512
f05e44e9a01b442b9e20d6677302a6b154e2043c0657b3b773ffaee43f8e5cd54cc81ee76da6e59bc0f27d1547a0cd820b6edfa7d151a03663ec7547e90622d6

Download Submit
memory/532-38-0x00000000000A0000-0x000000000018A000-memory.dmp

Filesize
936KB

Download
memory/1796-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1796-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2440-4-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-5-0x0000000005C30000-0x0000000005CF4000-memory.dmp

Filesize
784KB

Download
memory/2440-31-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/2440-3-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2440-2-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-1-0x0000000001010000-0x00000000010FA000-memory.dmp

Filesize
936KB

Download
memory/2544-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download