remcos | 9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
Size

293KB
MD5

90685b3446365662273f08298a9724c3
SHA1

2f1881d820114d9e567aaf3185754f6d0cdc0645
SHA256

9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a
SHA512

d7675048d87e3265665339b9f57c34d9d6070507d935e7e8d7bcb2681434c3a8e6a6999aa901f0d9bf1ac872079a95daaa595eb04340cf14175323f3154ca981
SSDEEP

6144:f5ZdP3uQMi7StiABLHGEEUqdGrxrL0Or1jQQdy02sbYB:fdP3d2uO0Or1WkbYB

Score

10^/10

remcos planes discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.1.0 Pro

Botnet

Planes

remfff.duckdns.org:48604

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
csrss.exe
copy_folder
csrss.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
RemcosXs-L20P2E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
csrss.exe
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2904	csrss.exe
1928	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	cmd.exe
1932	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\\csrss.exe\""	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\\csrss.exe\""	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe
2904	csrss.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
2904	csrss.exe
2904	csrss.exe
1928	csrss.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 1840 wrote to memory of 2104	1840	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	31
PID 2104 wrote to memory of 2760	2104	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	32
PID 2104 wrote to memory of 2760	2104	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	32
PID 2104 wrote to memory of 2760	2104	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	32
PID 2104 wrote to memory of 2760	2104	9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe	32
PID 2760 wrote to memory of 1932	2760	WScript.exe	33
PID 2760 wrote to memory of 1932	2760	WScript.exe	33
PID 2760 wrote to memory of 1932	2760	WScript.exe	33
PID 2760 wrote to memory of 1932	2760	WScript.exe	33
PID 1932 wrote to memory of 2904	1932	cmd.exe	35
PID 1932 wrote to memory of 2904	1932	cmd.exe	35
PID 1932 wrote to memory of 2904	1932	cmd.exe	35
PID 1932 wrote to memory of 2904	1932	cmd.exe	35
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36
PID 2904 wrote to memory of 1928	2904	csrss.exe	36

C:\Users\Admin\AppData\Local\Temp\9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
"C:\Users\Admin\AppData\Local\Temp\9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe
  "C:\Users\Admin\AppData\Local\Temp\9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe
        
        C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe
        
        C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
422B

MD5
f3ed21a8dbf48ccf6487d68cd12b8e89

SHA1
37b725cdc3bb8b91cb6242529721a2c3f1f03af2

SHA256
a2c8cc5a927929bb186c39f2deefa5ca869ab705ada7b13c2687a54c99df0416

SHA512
da85bc3517b3d085a29ae9c1a200ca7ae6c46f6bff4d5dc199bf493e6eda9cd223acf3945a4e24ae24f5a7fbc134f0345d725a6af1061b6c3f526ffec599851f

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe

Filesize
293KB

MD5
90685b3446365662273f08298a9724c3

SHA1
2f1881d820114d9e567aaf3185754f6d0cdc0645

SHA256
9fa65520148046f0e3791249d36a42ec4401f8f5db36091bc63156c778e4252a

SHA512
d7675048d87e3265665339b9f57c34d9d6070507d935e7e8d7bcb2681434c3a8e6a6999aa901f0d9bf1ac872079a95daaa595eb04340cf14175323f3154ca981

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
79B

MD5
8a544c3184c6c01c62cec7825dd121f9

SHA1
92377281ffe6751385455c84caccfdff0bc56353

SHA256
9f72fd89e64958745bbb9817ccf8da5ef8b336cb3056a52dbc9b809b532960a9

SHA512
710195d98e4dfcd9e15555c50a5ea0ca818ed5d9e7b48f53cec61889dfa4507121f0c640aa1f8c04acea792691b116a9605f7cd4846155a1c995c0e939271d30

Download Submit
memory/1840-4-0x0000000001F70000-0x0000000001FEB000-memory.dmp

Filesize
492KB

Download
memory/1840-2-0x0000000001F70000-0x0000000001FEB000-memory.dmp

Filesize
492KB

Download
memory/1840-1-0x0000000077C0F000-0x0000000077C10000-memory.dmp

Filesize
4KB

Download
memory/1840-0-0x0000000001F70000-0x0000000001FEB000-memory.dmp

Filesize
492KB

Download
memory/1928-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2104-3-0x0000000077C0F000-0x0000000077C10000-memory.dmp

Filesize
4KB

Download
memory/2104-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2104-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2104-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download