remcos | 029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
Size

293KB
MD5

15d69c839a4f4336de4b78c53adaa500
SHA1

829c2f6d3b9be98802ebb5e95a7fc2f87d33d210
SHA256

029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049
SHA512

e2e60b7c622c6f738a38437aa73df0c50fe2ac50389c4d564e947402385f5e06bcc4b60588ac17c4cae4b7e536061cc292b457bde832c8b1555eea1cfcb36dc0
SSDEEP

6144:f5ZdP3uQMi7StiABLHGEEUqdGrxrL0Or1jQQdy02sbY7:fdP3d2uO0Or1WkbY7

Score

10^/10

remcos planes discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.1.0 Pro

Botnet

Planes

remfff.duckdns.org:48604

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
csrss.exe
copy_folder
csrss.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
RemcosXs-L20P2E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
csrss.exe
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2272	csrss.exe
3520	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\\csrss.exe\""	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\\csrss.exe\""	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe
2272	csrss.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
2272	csrss.exe
2272	csrss.exe
3520	csrss.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 5072 wrote to memory of 1616	5072	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	97
PID 1616 wrote to memory of 1464	1616	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	98
PID 1616 wrote to memory of 1464	1616	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	98
PID 1616 wrote to memory of 1464	1616	029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe	98
PID 1464 wrote to memory of 4144	1464	WScript.exe	99
PID 1464 wrote to memory of 4144	1464	WScript.exe	99
PID 1464 wrote to memory of 4144	1464	WScript.exe	99
PID 4144 wrote to memory of 2272	4144	cmd.exe	101
PID 4144 wrote to memory of 2272	4144	cmd.exe	101
PID 4144 wrote to memory of 2272	4144	cmd.exe	101
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103
PID 2272 wrote to memory of 3520	2272	csrss.exe	103

C:\Users\Admin\AppData\Local\Temp\029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
"C:\Users\Admin\AppData\Local\Temp\029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe
  "C:\Users\Admin\AppData\Local\Temp\029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe
        
        C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe
        
        C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
422B

MD5
f3ed21a8dbf48ccf6487d68cd12b8e89

SHA1
37b725cdc3bb8b91cb6242529721a2c3f1f03af2

SHA256
a2c8cc5a927929bb186c39f2deefa5ca869ab705ada7b13c2687a54c99df0416

SHA512
da85bc3517b3d085a29ae9c1a200ca7ae6c46f6bff4d5dc199bf493e6eda9cd223acf3945a4e24ae24f5a7fbc134f0345d725a6af1061b6c3f526ffec599851f

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe

Filesize
293KB

MD5
15d69c839a4f4336de4b78c53adaa500

SHA1
829c2f6d3b9be98802ebb5e95a7fc2f87d33d210

SHA256
029783fcf4e6f9e78a2db3e8d9caa398f8bfa5cc857c69eabdeb67e66e637049

SHA512
e2e60b7c622c6f738a38437aa73df0c50fe2ac50389c4d564e947402385f5e06bcc4b60588ac17c4cae4b7e536061cc292b457bde832c8b1555eea1cfcb36dc0

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
79B

MD5
78b303fa294069ff6f2b5e0cbf9c224c

SHA1
58c9d7564373655a8ac6d11187b5cdd87707f305

SHA256
ddffc8e2e33914501ce10ba982ea08cc2c5436a19be61e7b471946608425bd83

SHA512
4ca72f69a343fbadd3ab9b0c3fb2f196431a6b3cddb8e481c6bad3960427ce02ac4fefd45b72b93ea771548e2cda60c69a4d2ded70f6b8cc396a435a49ff4be0

Download Submit
memory/1616-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1616-3-0x00000000771E2000-0x00000000771E3000-memory.dmp

Filesize
4KB

Download
memory/1616-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1616-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3520-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3520-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3520-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3520-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3520-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5072-4-0x00000000023B0000-0x000000000242B000-memory.dmp

Filesize
492KB

Download
memory/5072-0-0x00000000023B0000-0x000000000242B000-memory.dmp

Filesize
492KB

Download
memory/5072-2-0x00000000023B0000-0x000000000242B000-memory.dmp

Filesize
492KB

Download
memory/5072-1-0x00000000771E2000-0x00000000771E3000-memory.dmp

Filesize
4KB

Download