remcos | b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe
Size

1.3MB
MD5

27dee3ad8afbebda1a1bc1caeb41671c
SHA1

425198f041d6ec31df61f7622889d1ba29b0def5
SHA256

b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a
SHA512

10ca86daba99bc4610722a822bb49f1d662edf0af31449d8958c62e015c7c6a514bef006404df6721cc4f7eb260a76dcb0a122dc90361d1a66c8b5eb5c7d7675
SSDEEP

24576:MA73Eh5w49Br+ll3A11p2M30D7asFooAXWchbn5EVOHLvaRikkv9yq:Np2wC0DdFooAXFLyRiZvb

Score

10^/10

remcos csrss discovery rat

Malware Config

Extracted

Family

remcos

Botnet

csrss

154.216.18.132:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GED05O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5024 created 3444	5024	Stretch.com	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberFox.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberFox.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
5024	Stretch.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4368	tasklist.exe
2908	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ElseModels	b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe
File opened for modification	C:\Windows\RocksEntrance	b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe
File opened for modification	C:\Windows\CnetcomDresses	b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stretch.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	tasklist.exe
Token: SeDebugPrivilege	2908	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5024	Stretch.com
5024	Stretch.com
5024	Stretch.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5024	Stretch.com

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2684	2548	b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe	84
PID 2548 wrote to memory of 2684	2548	b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe	84
PID 2548 wrote to memory of 2684	2548	b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe	84
PID 2684 wrote to memory of 4368	2684	cmd.exe	86
PID 2684 wrote to memory of 4368	2684	cmd.exe	86
PID 2684 wrote to memory of 4368	2684	cmd.exe	86
PID 2684 wrote to memory of 4668	2684	cmd.exe	87
PID 2684 wrote to memory of 4668	2684	cmd.exe	87
PID 2684 wrote to memory of 4668	2684	cmd.exe	87
PID 2684 wrote to memory of 2908	2684	cmd.exe	89
PID 2684 wrote to memory of 2908	2684	cmd.exe	89
PID 2684 wrote to memory of 2908	2684	cmd.exe	89
PID 2684 wrote to memory of 4856	2684	cmd.exe	90
PID 2684 wrote to memory of 4856	2684	cmd.exe	90
PID 2684 wrote to memory of 4856	2684	cmd.exe	90
PID 2684 wrote to memory of 2440	2684	cmd.exe	91
PID 2684 wrote to memory of 2440	2684	cmd.exe	91
PID 2684 wrote to memory of 2440	2684	cmd.exe	91
PID 2684 wrote to memory of 4912	2684	cmd.exe	92
PID 2684 wrote to memory of 4912	2684	cmd.exe	92
PID 2684 wrote to memory of 4912	2684	cmd.exe	92
PID 2684 wrote to memory of 5024	2684	cmd.exe	93
PID 2684 wrote to memory of 5024	2684	cmd.exe	93
PID 2684 wrote to memory of 5024	2684	cmd.exe	93
PID 2684 wrote to memory of 4092	2684	cmd.exe	94
PID 2684 wrote to memory of 4092	2684	cmd.exe	94
PID 2684 wrote to memory of 4092	2684	cmd.exe	94
PID 5024 wrote to memory of 1536	5024	Stretch.com	95
PID 5024 wrote to memory of 1536	5024	Stretch.com	95
PID 5024 wrote to memory of 1536	5024	Stretch.com	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe
  "C:\Users\Admin\AppData\Local\Temp\b2353d3d5f9fc21db34d09c2fb6c4eee1f962dc8f8dcc1224d02c5c2dfea896a.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Edges Edges.cmd && Edges.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4368
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4668
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2908
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 344725
      4⤵
      System Location Discovery: System Language Discovery
      PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Contrast + ..\Newcastle + ..\Download + ..\Smtp + ..\Deposit + ..\Anticipated + ..\Accredited + ..\Hobbies + ..\Gods + ..\Wma + ..\Again G
      4⤵
      System Location Discovery: System Language Discovery
      PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\344725\Stretch.com
      Stretch.com G
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5024
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberFox.url" & echo URL="C:\Users\Admin\AppData\Local\SecureNet Dynamics\CyberFox.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberFox.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
830f92308a4e6a51860d467ea9e17f0f

SHA1
c130c449aba7f892af3a19e02e785f207d749715

SHA256
0796edb25f2c6af56ebe3d42314a1a95c746f60a073a19671d30319e112a99af

SHA512
f55fd9c1c9cd810e5a355d901f8617f4dff733d759dd433e55ecf7af18897cc83912055225803c78466b8d16a52dc3ea6d34329391fe5e68edd04877e88e9e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\344725\G

Filesize
684KB

MD5
9a7e06b9e1f7141aef25c506e744ef43

SHA1
5bd32d4cd2a3a21f612d65703520f9584089665e

SHA256
d7b751f20b960013f98dea1be14d2f7ea1aea68de942b1d434d476cef41d451b

SHA512
44878f0fea002b9ef0244c9af5a37bce1509298fa12cb17cd30cf568071e88954538b617704eafe10c1df588280ea3cd8d63e5b6cd4a0112a0ff8e75554c0ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Accredited

Filesize
58KB

MD5
b464bd3d119a9be2bd69b49e324d4f92

SHA1
67b6857c92294011ece768b0410bad4e992ef69f

SHA256
1f4a40a557fedea1f0bf1bb94bbcef79519a140c283a1e939bb024ff5296a2c7

SHA512
ef28727fc1b119fdfd53c1d10007bc60906de9bc0cbabe35508b8aa6af80a8535b29c6592dd371664dd8cc274b7fbcd760ee5bac66b052f397c900800bf468af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Again

Filesize
34KB

MD5
9f691e98ffb0c6d522e6521547442a2e

SHA1
e55411815c8e462cbb8822b6e9c800cf7af51de4

SHA256
c750c6d9c0aed4c70c2fa0e952280c99f90ff11c8afb880c868059102225306f

SHA512
e96c6b95f7ba4312783e68e7e28cbe81178419623b91f107025b50fb2bb2dbd2f41d1caa7dee073f8a89148a40dd8a1ade73a5a854007483381f3ee0d8031dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anticipated

Filesize
86KB

MD5
95cad96f7af7a66f5b358808b31f5377

SHA1
25b297574221928efaf7b2e4476625973e1b424c

SHA256
0a490ec56fdaa2f8d362bc2a837a9ef7f939a1d3974f2392be6444d366436f8b

SHA512
0f53702719c706ca97e5e784d3cea869b0afb9a28d4b2bbf25046e4ec027978251d01d835e563448037f9e5793d4be8abcee665d99fcf8fd2a7052c99f892e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contrast

Filesize
52KB

MD5
7b2bf22e6e0f54d07d15375516d6ab20

SHA1
6de6770e53b9a5fe7924fd571366ab1ce7abfb9e

SHA256
f83caf54b40cc5bf12d6538abf0619a1e07520130c3f87bcb516dc2314a8d688

SHA512
751d6d11cd7ea727a0d6a0005dee3b5f37f601052d4cdc04a35acebdae6a9db0276e8db227630c3eb557f5c83ac7fe79accb3bad812c11db1aab2eb6bad93037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deposit

Filesize
58KB

MD5
43537867c4cbfba11d72fe49083cfc23

SHA1
d96c4db12a553d2dcaffe333190b8d32635b1fbc

SHA256
d10bce5ddd71655b1626064643343f53182af30c4cc02ecd94a709d6d65e5cf4

SHA512
0b505c3a4620661563d719d9518e84a040dba271d6363d80386a03476574a31a42dbfe08034382afce2773b230f25b65468b612a3de2198895afea554efa045b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download

Filesize
60KB

MD5
8d01fd09d6d654b7c57d174a39d5ad1a

SHA1
c557845b5832881c88edf8a318bcd8544b6779d7

SHA256
918c6ac09524383bf361773bbda8bec7eb1826495eab3666007c44b230ea5fbf

SHA512
1db2bdc5bb3456c1da2eb4857a77f7dfc7157b66262f0b3c906e72f6706db01a8acc0531704c55bba55226384b75d12b86afac417a0bba822614e7fef5f1c840

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edges

Filesize
9KB

MD5
40ea2086bf216121a50462bcb479782e

SHA1
7670a78e2ac31c6b7a15d7b33391a33ce29cd494

SHA256
ff418d1c99d4f985ca647208868966499bfd49a0920ca3494a9e7b3ba929169a

SHA512
6967d8aed5fd7ad3fe998086098a85e9785af621a90e35da5046decccf376b7cec1e04a8cf4d1bdc27922548f1a7a2ac9f194fa851b049967a0774519b54c339

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gods

Filesize
65KB

MD5
3978ff549497c1f0739df26bf264f9b6

SHA1
ee3d5dc3c3d1fc8a299b49eb5594e82f1381a46e

SHA256
c5a7d8863c85d6035d6e51781ff2e7bb16c546ae9bbede4ebc00af5f36e1b046

SHA512
388dcd88ea70d86a933eaf33ef0da48a8bf100f6a0de6116ad027606fe46b494f3e700a0b06def46f5c6e71b3337a1d848862e4c970e6815585462f3a06be3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hobbies

Filesize
72KB

MD5
58f84d573ac9daf9357d9a2f6e6fb7f4

SHA1
fd24d69836900c7e9bd3902945d18104d13363e9

SHA256
d2c7cce69bce7755ce9ff663215bd2f6e3f113bc2d29334b6634f4631d013b73

SHA512
c5d08ec3739584fe2c924cbf37375344088927906fa6fe8eb6fcc2b4fdd612374ef3f90be42d51448da585ef8480cee62bdee213a126b878ee9d7afc43ec19ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newcastle

Filesize
65KB

MD5
579a603bd005e80e89fac7affe755b95

SHA1
a3971b0eedb7641f95aff3a7669ad917488e57ce

SHA256
ad5f34dd1f9ba8ab89bd2cef6d1945ca1319c62899be79cd205bc982dce1de90

SHA512
f81b29cd3a67294e77b058309452dd0c1551f11c2f78bce104d4ad9ad07b77cf9230eac0121ff166a867c40f04168b03733bbe0a801693f1ed18b0f431788a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smtp

Filesize
79KB

MD5
5e1f3c4cdcb662dadeaead619d023eae

SHA1
006a14b75978100d1b9a67a6a1c9a21d96e4ab4b

SHA256
d75b1f13df8405f56aad89e4309d5b7484cba03920a02256e828acb92358d51b

SHA512
0ea7ce0827356892592d4c8cb9cdb3c9f50085a14c5772dcb78b4788d4ff0c85ed35ae0bd87153438b0b5ce501bcb5934542cbd21999e0a78d31a3429d9691c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Whale

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wma

Filesize
55KB

MD5
2ef8aece2bb316f355fb94bb4cd6221c

SHA1
ea0241dd4b5e3642f44ab2bca1dce28bd67a4501

SHA256
be7641581b34cd399dc542d0b8da59a0d47fd319d2a305aed3c41f459e859f8b

SHA512
192bd8dffc3799965b9b6d3825209b4bc2b987455cc2d8254cfeb141182010ae49102d6fdc55051606e12bbc87b7578498a8bea649d1b19b5f7fd72e7087f95d

Download Submit
memory/5024-248-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-254-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-249-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-253-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-252-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-250-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-251-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-258-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-257-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-247-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-259-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-260-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-261-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-246-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-270-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-271-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-278-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-279-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-286-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download
memory/5024-287-0x00000000048C0000-0x000000000493F000-memory.dmp

Filesize
508KB

Download