remcos | 8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301

General

Target

8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
Size

959KB
MD5

10ab4b6fb83aea3840ac04855974f62d
SHA1

c41572120bb8f298d4a8683321e7a3b1cc7c54da
SHA256

8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301
SHA512

d414499348356d4028c97718126dbc51aa240a63b70f3236d73003821910735bcef0761da0a873b55abfb18b71820fcd6bf4e58bac98109274c477cc68633d94
SSDEEP

24576:TuWl35eXIVicKGaiT+zuOiNPjdbdpcg4qCYi:BnXicKE6zuOiNPjdZ4qCYi

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

41.216.183.238:7112

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y7J88P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2912	powershell.exe
2712	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
2712	powershell.exe
2912	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2912	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	30
PID 2172 wrote to memory of 2912	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	30
PID 2172 wrote to memory of 2912	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	30
PID 2172 wrote to memory of 2912	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	30
PID 2172 wrote to memory of 2712	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	32
PID 2172 wrote to memory of 2712	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	32
PID 2172 wrote to memory of 2712	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	32
PID 2172 wrote to memory of 2712	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	32
PID 2172 wrote to memory of 2596	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	33
PID 2172 wrote to memory of 2596	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	33
PID 2172 wrote to memory of 2596	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	33
PID 2172 wrote to memory of 2596	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	33
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36
PID 2172 wrote to memory of 1044	2172	8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe	36

C:\Users\Admin\AppData\Local\Temp\8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
"C:\Users\Admin\AppData\Local\Temp\8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\myTuDsvNcebev.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe
  "C:\Users\Admin\AppData\Local\Temp\8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1044

Network

DNS

geoplugin.net

8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Mon, 09 Dec 2024 02:33:47 GMT
server: Apache
content-length: 956
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *

41.216.183.238:7112

tls

8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe

3.4kB
1.5kB
13
16
178.237.33.50:80

http://geoplugin.net/json.gp

http

8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe

583 B
2.5kB
11
4

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

geoplugin.net

dns

8c62537b7b875c364a79b98adaa8d341b4a52e4d0a27697f0f07b1209ed53301.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp

Filesize
1KB

MD5
3a310c5c0a9e222e68b66f7dfa9e75dd

SHA1
76ba0108ef1c5651b11dc6e586171f4cc0f4bbf8

SHA256
633b65f4e7257ccb13cfb8d1e4d2e0389c01d826bd4753558ad8cebd0354412c

SHA512
ace47131680eb1ad51267bd2f2cfdb998e4670f8d1f2f4b70b29f5ed983113e7fb76a44e5c04b50518bc7fb37ccc809d87528b4558c5645d233afbfb038feb18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1dff2ebc062eab2a003d37e9f9c45572

SHA1
e367bc5d1921ece19d5289aae8024475138a1aeb

SHA256
ce5410ca7b7520bb8ce71f465579bba210974eda896d22e703c14aa392de8274

SHA512
91209a6e1130a861e3c8151fb73ed1d0e7e615d4cf06acac22b21793ed8c7bada24a7d612f9aeeb5d42a31d4fec84cab46a0f20ae959fac8fba20a4debed726f

Download Submit
memory/1044-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1044-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2172-40-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2172-3-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/2172-1-0x0000000001380000-0x0000000001472000-memory.dmp

Filesize
968KB

Download
memory/2172-2-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-6-0x0000000005110000-0x00000000051D0000-memory.dmp

Filesize
768KB

Download
memory/2172-5-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-4-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.