remcos | ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe
Size

300.0MB
MD5

576e2763bd4204a46369088e7a09505a
SHA1

48c41638957a2eabec298ef6ecd1d85de6d92f95
SHA256

ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b
SHA512

7b04d4dc15184040508c39e81f1ddc821eb88c6f24c5d990a67a0aa3ee443156ee8105afe3fedf74f4aa07735fe3efb1b6f828964b0e27c82efbb2a7b91914e4
SSDEEP

12288:f1jsCAqYw8N6RFEGf7iW1HXSIE2GwcA4DTqw5mO8CkfnU8GP:djs3qP8NAEGf51HX51cA4fKfU8GP

Score

10^/10

remcos 7-5-22 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

7-5-22

playstachon.duckdns.org:30288

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
NGINX
keylog_path
%AppData%
mouse_option
false
mutex
xpsie6w@>-H4T1EN
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
paytrace;globalgateway;firstdata;shopify;chase

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2032	lpoef.exe
1728	lpoef.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2032 set thread context of 3036	2032	lpoef.exe	45

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpoef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpoef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe
2228	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2984	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2984	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2916	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	31
PID 2672 wrote to memory of 2916	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	31
PID 2672 wrote to memory of 2916	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	31
PID 2672 wrote to memory of 2916	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	31
PID 2916 wrote to memory of 2932	2916	cmd.exe	33
PID 2916 wrote to memory of 2932	2916	cmd.exe	33
PID 2916 wrote to memory of 2932	2916	cmd.exe	33
PID 2916 wrote to memory of 2932	2916	cmd.exe	33
PID 2672 wrote to memory of 2908	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	34
PID 2672 wrote to memory of 2908	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	34
PID 2672 wrote to memory of 2908	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	34
PID 2672 wrote to memory of 2908	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	34
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2672 wrote to memory of 2984	2672	JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe	36
PID 2156 wrote to memory of 2032	2156	taskeng.exe	38
PID 2156 wrote to memory of 2032	2156	taskeng.exe	38
PID 2156 wrote to memory of 2032	2156	taskeng.exe	38
PID 2156 wrote to memory of 2032	2156	taskeng.exe	38
PID 2032 wrote to memory of 2744	2032	lpoef.exe	40
PID 2032 wrote to memory of 2744	2032	lpoef.exe	40
PID 2032 wrote to memory of 2744	2032	lpoef.exe	40
PID 2032 wrote to memory of 2744	2032	lpoef.exe	40
PID 2744 wrote to memory of 2228	2744	cmd.exe	42
PID 2744 wrote to memory of 2228	2744	cmd.exe	42
PID 2744 wrote to memory of 2228	2744	cmd.exe	42
PID 2744 wrote to memory of 2228	2744	cmd.exe	42
PID 2032 wrote to memory of 2208	2032	lpoef.exe	43
PID 2032 wrote to memory of 2208	2032	lpoef.exe	43
PID 2032 wrote to memory of 2208	2032	lpoef.exe	43
PID 2032 wrote to memory of 2208	2032	lpoef.exe	43
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2032 wrote to memory of 3036	2032	lpoef.exe	45
PID 2156 wrote to memory of 1728	2156	taskeng.exe	46
PID 2156 wrote to memory of 1728	2156	taskeng.exe	46
PID 2156 wrote to memory of 1728	2156	taskeng.exe	46
PID 2156 wrote to memory of 1728	2156	taskeng.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\lpoef.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\lpoef.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab56012c39bd81986d6392624a7a968645cc65294d6b37bce884ed3e45d56d5b.exe" "C:\Users\Admin\AppData\Roaming\lpoef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2984

C:\Windows\system32\taskeng.exe
taskeng.exe {71988152-BA1B-4E0B-9A9A-136D3204EF3B} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\lpoef.exe
  C:\Users\Admin\AppData\Roaming\lpoef.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\lpoef.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\lpoef.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\lpoef.exe" "C:\Users\Admin\AppData\Roaming\lpoef.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Users\Admin\AppData\Roaming\lpoef.exe
  C:\Users\Admin\AppData\Roaming\lpoef.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-77-0x0000000000B70000-0x0000000000C1A000-memory.dmp

Filesize
680KB

Download
memory/2032-41-0x0000000000B30000-0x0000000000BDA000-memory.dmp

Filesize
680KB

Download
memory/2672-25-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2672-4-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-1-0x0000000000A60000-0x0000000000B0A000-memory.dmp

Filesize
680KB

Download
memory/2672-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-3-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2984-14-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-36-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-10-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-9-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-7-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-33-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-16-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-27-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-8-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-24-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-32-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-37-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-38-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-18-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-42-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-44-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-29-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2984-74-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3036-72-0x0000000000130000-0x00000000001AB000-memory.dmp

Filesize
492KB

Download
memory/3036-73-0x0000000000130000-0x00000000001AB000-memory.dmp

Filesize
492KB

Download
memory/3036-67-0x0000000000130000-0x00000000001AB000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads