remcos | b4d1b79459e02f66fae43fa71b6422be611fc7595306875ad87eddaa0e07ac5c

General

Target

Quotation.exe
Size

1.0MB
MD5

67b86e9595c2d0d2f44454ec239fda56
SHA1

1a44600a7b4e010174d99c152dc20fef1d84061a
SHA256

905eb3c354f4f1210442b25983482a2612d6354df9c3d26beb9a0bdaf1e9ac04
SHA512

73fb542c826f8e75683e7944f0f616d2317d17c5cc153610e7d2107c6da7458da00c89e797aa4f59c92d92095dcf884ef9474cf7ac5dcc4bf526aa8389486604
SSDEEP

24576:BHAXaxESQklIlQcZrVs+3FvrVOuHvKYKrVFmdGp7N1/TBt:BgAlFUrv3FjwuPKYaGK/t

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.241.208.87:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7DRXD9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3032	powershell.exe
2876	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2736	2464	Quotation.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2464	Quotation.exe
2464	Quotation.exe
2464	Quotation.exe
2464	Quotation.exe
2464	Quotation.exe
2464	Quotation.exe
2464	Quotation.exe
3032	powershell.exe
2876	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	Quotation.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3032	2464	Quotation.exe	30
PID 2464 wrote to memory of 3032	2464	Quotation.exe	30
PID 2464 wrote to memory of 3032	2464	Quotation.exe	30
PID 2464 wrote to memory of 3032	2464	Quotation.exe	30
PID 2464 wrote to memory of 2876	2464	Quotation.exe	32
PID 2464 wrote to memory of 2876	2464	Quotation.exe	32
PID 2464 wrote to memory of 2876	2464	Quotation.exe	32
PID 2464 wrote to memory of 2876	2464	Quotation.exe	32
PID 2464 wrote to memory of 2828	2464	Quotation.exe	33
PID 2464 wrote to memory of 2828	2464	Quotation.exe	33
PID 2464 wrote to memory of 2828	2464	Quotation.exe	33
PID 2464 wrote to memory of 2828	2464	Quotation.exe	33
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36
PID 2464 wrote to memory of 2736	2464	Quotation.exe	36

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hVWuVAdS.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hVWuVAdS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDD1.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
  2⤵
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDDD1.tmp

Filesize
1KB

MD5
b5dfd7c1d090b57ba6bcfc90f0e040fe

SHA1
378ce00065d38c3a61d9c6e463e8bcd7ee71a0b6

SHA256
c27b363bb890683d44b611988a7cf2a879caedd69282073dcde02da2d5dc0011

SHA512
8d5c790e9ad28b9e2d6f6ceaeb9bc4936cfcb81bacd0ae234a52264df867841b0ef824c57b8a94e4730213acd45ae43ae7da57a612c0d6030a20285eb90fea81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cad19924afb9dfbfba6bc1bbee0fa3eb

SHA1
9ec4faa63b5bc49f4eb2393c75a98f660c2b2dfd

SHA256
bba28a19c81b858af52df202bf6a44db3cb7fab996e88b87226705fd9188c559

SHA512
870e3a235a6ccf85d87ff43ca50119581712d1ca685afa63577b143f68f0ea9439824128bc079bc1fcb28ddb2e3f5f1dcec0d83b7735ebe673b788ba2a3a8149

Download Submit
memory/2464-0-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2464-1-0x0000000001300000-0x000000000140C000-memory.dmp

Filesize
1.0MB

Download
memory/2464-2-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2464-3-0x00000000009C0000-0x00000000009D8000-memory.dmp

Filesize
96KB

Download
memory/2464-4-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2464-5-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2464-6-0x0000000004EB0000-0x0000000004F72000-memory.dmp

Filesize
776KB

Download
memory/2464-36-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-35-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads