remcos | 8b2666d4856f98b157dd705cc3a13f1c9203e432d841251528d31460968c89e8

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MUrCVpcnKl3TR9r.exe
Size

1.7MB
MD5

91988de4e4b2afd8a555630fa6cfdef7
SHA1

31c8e99d816f5df8ce8f152002405ba40257cdf6
SHA256

e0282af4b6dc2361d472e2c8bae5e3c54d4564400980ec27587300cf1b7464e0
SHA512

ae8314ff9a117e77db441050ca79ed297700140f9e5bd80592422f1e658b21b7defe322887facd668e42ae85d6418d72049d8a92349fe78f4ea3846f68ceaf60
SSDEEP

49152:shPfOrFw7mIYTVAh2nHFa1mvC8H+vef7+q7U:shPfOrrPTVLFatB8

Score

10^/10

remcos xred ff backdoor discovery persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

64.44.139.178:7200

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-EQ1491
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eb32dGo7VDvudYzB\\tumRlaDMfHKc.exe\",explorer.exe"	MUrCVpcnKl3TR9r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eb32dGo7VDvudYzB\\iHfwjZWWMhvV.exe\",explorer.exe"	Synaptics.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
3032	._cache_MUrCVpcnKl3TR9r.exe
2696	Synaptics.exe
2812	remcos.exe
1052	Synaptics.exe
1388	._cache_Synaptics.exe

Loads dropped DLL 8 IoCs

pid	Process
1652	MUrCVpcnKl3TR9r.exe
1652	MUrCVpcnKl3TR9r.exe
1652	MUrCVpcnKl3TR9r.exe
2612	cmd.exe
2612	cmd.exe
1052	Synaptics.exe
1052	Synaptics.exe
1052	Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	MUrCVpcnKl3TR9r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	._cache_MUrCVpcnKl3TR9r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 2696 set thread context of 1052	2696	Synaptics.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MUrCVpcnKl3TR9r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MUrCVpcnKl3TR9r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_MUrCVpcnKl3TR9r.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1208	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1636	MUrCVpcnKl3TR9r.exe
2696	Synaptics.exe
2696	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	MUrCVpcnKl3TR9r.exe
Token: SeDebugPrivilege	1636	MUrCVpcnKl3TR9r.exe
Token: SeDebugPrivilege	2696	Synaptics.exe
Token: SeDebugPrivilege	2696	Synaptics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	remcos.exe
1208	EXCEL.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1636 wrote to memory of 1652	1636	MUrCVpcnKl3TR9r.exe	28
PID 1652 wrote to memory of 3032	1652	MUrCVpcnKl3TR9r.exe	29
PID 1652 wrote to memory of 3032	1652	MUrCVpcnKl3TR9r.exe	29
PID 1652 wrote to memory of 3032	1652	MUrCVpcnKl3TR9r.exe	29
PID 1652 wrote to memory of 3032	1652	MUrCVpcnKl3TR9r.exe	29
PID 3032 wrote to memory of 2644	3032	._cache_MUrCVpcnKl3TR9r.exe	30
PID 3032 wrote to memory of 2644	3032	._cache_MUrCVpcnKl3TR9r.exe	30
PID 3032 wrote to memory of 2644	3032	._cache_MUrCVpcnKl3TR9r.exe	30
PID 3032 wrote to memory of 2644	3032	._cache_MUrCVpcnKl3TR9r.exe	30
PID 1652 wrote to memory of 2696	1652	MUrCVpcnKl3TR9r.exe	31
PID 1652 wrote to memory of 2696	1652	MUrCVpcnKl3TR9r.exe	31
PID 1652 wrote to memory of 2696	1652	MUrCVpcnKl3TR9r.exe	31
PID 1652 wrote to memory of 2696	1652	MUrCVpcnKl3TR9r.exe	31
PID 2644 wrote to memory of 2612	2644	WScript.exe	32
PID 2644 wrote to memory of 2612	2644	WScript.exe	32
PID 2644 wrote to memory of 2612	2644	WScript.exe	32
PID 2644 wrote to memory of 2612	2644	WScript.exe	32
PID 2612 wrote to memory of 2812	2612	cmd.exe	34
PID 2612 wrote to memory of 2812	2612	cmd.exe	34
PID 2612 wrote to memory of 2812	2612	cmd.exe	34
PID 2612 wrote to memory of 2812	2612	cmd.exe	34
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 2696 wrote to memory of 1052	2696	Synaptics.exe	37
PID 1052 wrote to memory of 1388	1052	Synaptics.exe	38
PID 1052 wrote to memory of 1388	1052	Synaptics.exe	38
PID 1052 wrote to memory of 1388	1052	Synaptics.exe	38
PID 1052 wrote to memory of 1388	1052	Synaptics.exe	38

C:\Users\Admin\AppData\Local\Temp\MUrCVpcnKl3TR9r.exe
"C:\Users\Admin\AppData\Local\Temp\MUrCVpcnKl3TR9r.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\MUrCVpcnKl3TR9r.exe
  "C:\Users\Admin\AppData\Local\Temp\MUrCVpcnKl3TR9r.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\._cache_MUrCVpcnKl3TR9r.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_MUrCVpcnKl3TR9r.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:1388

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
91988de4e4b2afd8a555630fa6cfdef7

SHA1
31c8e99d816f5df8ce8f152002405ba40257cdf6

SHA256
e0282af4b6dc2361d472e2c8bae5e3c54d4564400980ec27587300cf1b7464e0

SHA512
ae8314ff9a117e77db441050ca79ed297700140f9e5bd80592422f1e658b21b7defe322887facd668e42ae85d6418d72049d8a92349fe78f4ea3846f68ceaf60

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_MUrCVpcnKl3TR9r.exe

Filesize
455KB

MD5
f4e04ce181bf25a30e3d0cb1ce282c9e

SHA1
24c0528a9e5c864980657f646ed5bed615291f15

SHA256
e969587901730f24d85569f0a5b3fec0be6754c4edb20f9dcea6430e4a0bf4a1

SHA512
b3124d0c31be65f5d0d2239513144a2943421362c0b804e0df1f4cc0c47e41f3466be619c17fe88f6a73cc2b6297be893e763b4b2f702adba583fe19e1caed22

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwf5eL3c.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwf5eL3c.xlsm

Filesize
24KB

MD5
4663ae1854898c1eaeed9e50ef6360ee

SHA1
72745ae6b980f0a31d606cce8569a7d58a899c75

SHA256
73ee2166b937de0ee4dadcd9e8cc1630b070bdef02f3a1e18a9045683c8e4529

SHA512
b4e01e0d8db034f7352f7fd51f2b5ddf13dbab95d1eb2b2eba964b5631bba9ba1de43167c27305a21023c3e48888d2d78b1d8a75b87bbc6af00cb552f2024da8

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

Filesize
148B

MD5
840b241c1b710417208ac5045fb44518

SHA1
ec332faf6d767838b7d9a5f976d0c0ebcc36f1ca

SHA256
4c051bd6afd5e377e5361e57c955ed8f88afbad409d1facc9e7b78c27983a161

SHA512
db68d4fe06db2f1d5c7bce4070fdf6ad2710ec23c1ed19f18c1f74bab08c259cd93e713178622f05cd9c757fd9e110609942b28e94ae48f2a6fa62af9f7ee857

Download Submit
memory/1052-136-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1052-137-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1052-140-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1052-178-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1052-80-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1052-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1208-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1636-0-0x0000000074A31000-0x0000000074A32000-memory.dmp

Filesize
4KB

Download
memory/1636-51-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-1-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-2-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-16-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-5-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-6-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-7-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-8-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-9-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-10-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1652-20-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1652-17-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-15-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1652-11-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download