remcos | 20fefa38a50cd99ab81181ab99bee40c3639dbdd465ce2e277eebf1bd6308433

Resubmissions

07-01-2025 16:33

250107-t21fbs1kel 10

07-01-2025 16:25

250107-txdqrsynbz 10

Analysis

max time kernel
330s
max time network
329s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remcos v5.3.0 Light.exe
Size

38.5MB
MD5

be1aa2a7600e0845d73cd004cd385135
SHA1

b49bfa8ada17ce0f4497a2f2e589824e700360ba
SHA256

20fefa38a50cd99ab81181ab99bee40c3639dbdd465ce2e277eebf1bd6308433
SHA512

adea6c19d96435f853cfa4685f836d20970d944d8155b0ec9d30b7ba3499bb46d9b3125a5a3baf5c244247de3ccd79de0835a3bbc0416b36083e78a1fc865e10
SSDEEP

786432:i3hQRdPjIyoLKX7ho1zqC0tIvNFom4jeA+bG:vvPj0CNUzqCYSaLjeZa

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Version

5.3.0 Light

Botnet

RemoteHost

181.215.176.83:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-403792
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 6 IoCs

pid	Process
5032	mpress.exe
1912	remcos_a.exe
2688	mpress.exe
1852	remcos_b.exe
4264	remcos_b.exe
2128	remcos_a.exe

Loads dropped DLL 2 IoCs

pid	Process
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1020	Remcos v5.3.0 Light.exe
1020	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3192	1852	WerFault.exe	107
4508	4264	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos v5.3.0 Light.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos v5.3.0 Light.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4432	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1020	Remcos v5.3.0 Light.exe
1020	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	Remcos v5.3.0 Light.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1912	remcos_a.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1220	Remcos v5.3.0 Light.exe
1912	remcos_a.exe
2128	remcos_a.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1020	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
1220	Remcos v5.3.0 Light.exe
4432	explorer.exe
4432	explorer.exe
4432	explorer.exe
1220	Remcos v5.3.0 Light.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1092	1220	Remcos v5.3.0 Light.exe	96
PID 1220 wrote to memory of 1092	1220	Remcos v5.3.0 Light.exe	96
PID 1220 wrote to memory of 1092	1220	Remcos v5.3.0 Light.exe	96
PID 1092 wrote to memory of 5032	1092	cmd.exe	98
PID 1092 wrote to memory of 5032	1092	cmd.exe	98
PID 1092 wrote to memory of 5032	1092	cmd.exe	98
PID 4432 wrote to memory of 2832	4432	explorer.exe	100
PID 4432 wrote to memory of 2832	4432	explorer.exe	100
PID 2832 wrote to memory of 1912	2832	cmd.exe	102
PID 2832 wrote to memory of 1912	2832	cmd.exe	102
PID 2832 wrote to memory of 1912	2832	cmd.exe	102
PID 1220 wrote to memory of 4028	1220	Remcos v5.3.0 Light.exe	104
PID 1220 wrote to memory of 4028	1220	Remcos v5.3.0 Light.exe	104
PID 1220 wrote to memory of 4028	1220	Remcos v5.3.0 Light.exe	104
PID 4028 wrote to memory of 2688	4028	cmd.exe	106
PID 4028 wrote to memory of 2688	4028	cmd.exe	106
PID 4028 wrote to memory of 2688	4028	cmd.exe	106
PID 2832 wrote to memory of 1852	2832	cmd.exe	107
PID 2832 wrote to memory of 1852	2832	cmd.exe	107
PID 2832 wrote to memory of 1852	2832	cmd.exe	107
PID 2832 wrote to memory of 4264	2832	cmd.exe	111
PID 2832 wrote to memory of 4264	2832	cmd.exe	111
PID 2832 wrote to memory of 4264	2832	cmd.exe	111
PID 2832 wrote to memory of 2128	2832	cmd.exe	114
PID 2832 wrote to memory of 2128	2832	cmd.exe	114
PID 2832 wrote to memory of 2128	2832	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ""C:\Users\Admin\AppData\Local\Temp\mpress.exe" "C:\Users\Admin\Downloads\remcos_a.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\mpress.exe
    "C:\Users\Admin\AppData\Local\Temp\mpress.exe" "C:\Users\Admin\Downloads\remcos_a.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ""C:\Users\Admin\AppData\Local\Temp\mpress.exe" "C:\Users\Admin\Downloads\remcos_b.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\mpress.exe
    "C:\Users\Admin\AppData\Local\Temp\mpress.exe" "C:\Users\Admin\Downloads\remcos_b.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\Downloads\remcos_a.exe
    remcos_a.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1912
- - C:\Users\Admin\Downloads\remcos_b.exe
    remcos_b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 548
      4⤵
      Program crash
      PID:3192
- - C:\Users\Admin\Downloads\remcos_b.exe
    remcos_b.exe
    3⤵
    - Executes dropped EXE
    PID:4264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 528
      4⤵
      Program crash
      PID:4508
- - C:\Users\Admin\Downloads\remcos_a.exe
    remcos_a.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1852 -ip 1852
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4264 -ip 4264
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BuilderProfiles\DefaultProfile.ini

Filesize
398B

MD5
642bc34a7a126920ed0f63f4d0116f86

SHA1
2712bfa8c3ef7300cf3ab1608ed003bc9e57dcac

SHA256
7b96a63060f8adab050351e274917119153a85295b541c8d3251fbd9574d1373

SHA512
4bcc6ef75839e29b59ea01c627e00be8b325b0dafb8282ddb0c4c96d13f09aeba83f3d624274dc605b371d110725c31c8361f8bf52100deb2730110935e4b390

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuilderProfiles\DefaultProfile.ini

Filesize
403B

MD5
0f7c1a125acacf4b898876519f933cfc

SHA1
718d96cae88d1a9dc22250d0698d86126d171096

SHA256
122b817ca9c27bd5a27afa6dd3ba156adbdaf8844f0cfb4e509e6367378cfacd

SHA512
0917b498d2ed0abf534c260e673ce31fad22ae58a36703385b99cadc24d38d93a95520262994ec14997e138cf48bce0ef04d579009cd1ea339ab442e1810f295

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
73B

MD5
d6ebf2e3bc1043da4bde77ca18fe5241

SHA1
1372fbc53fe057e2568c72c96dd02a43f048645c

SHA256
d1af1101393e6382a92bd26e4931443a07f187d2f044296cec06dd92d86e141e

SHA512
b38e596c43ff1121feee76e96481501596ccd4f2852754da7c5e818a25851c5651aa804b47547d66c191ddb563f979da9e9f8d7eec6a90ed599a4a968c71387e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
34B

MD5
531582397f8ccb5247d113822217d9bc

SHA1
8667d320df908771d15874dca81cc44d80f8c3aa

SHA256
61d2e1420b59b2d8caba08c4710416aca5ac5d86fc525e81536300ac09493b4a

SHA512
be88b1d9c0d88f69b0a9107eda08c51bf40c3cfc9df5f7a0ee62ca3e2fbc9a0998fbfb644e828fc1b367b5ffed885845d1888d2d26998fa14b401420aaaf4999

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
55B

MD5
fbbef4b611ff617690446c4638cc595f

SHA1
43e63aa2a81fc0c5a65ecebac7ea03b769dcaae8

SHA256
1b367ba5af9d77c7b400bc6997547b88e375806da9b4d124edc838fb789873ba

SHA512
8034f0546fcd05c76aa975020ffa02fcba2d5c405d25fe2ba633c9f95b8bb01ce6a3379ce63920d5780289a829d2b99232c589a0a75bfc2638b8312bc5596e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\libeay32.dll

Filesize
1.3MB

MD5
fa5def992198121d4bb5ff3bde39fdc9

SHA1
f684152c245cc708fbaf4d1c0472d783b26c5b18

SHA256
5264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305

SHA512
4589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\remcos_client.key

Filesize
633B

MD5
455202a8f0a78e84919556a4f31f8eca

SHA1
2c0578b13ee09cfc203f246cbdcf28429486532b

SHA256
8548191e26d4adc20b3a9dd09eef3e44a2acf0060f373f35b789a6a6c4635dd7

SHA512
ae848d22991816b0616757b26cc90f889612cf20accb559234c08fe1d8a95a87bbe110d55ee6337433d8afc56b01d247e4a554b76d2c47ce1db1306b852d1899

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\remcos_server.key

Filesize
633B

MD5
c18055f9cd574d28d2d08d64a9c9c750

SHA1
f6979dbd9d3a65b5cafb4393fd363ba2704b6354

SHA256
e03a2afb34fc54d65443c56b1056209ceeab089a513daf3717ad364ee7c84c9e

SHA512
0ed56bb2fa235e8008422a7a72a309c69cd1d0748a83a4aa39446d45738a017e099c4fce449ee642b8ef61863fdac5a8b4fe63b6ff38e481808eec7b9a38c35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\ssleay32.dll

Filesize
330KB

MD5
2117e31688aef8ecf267978265bfcdcd

SHA1
e8c3cfd65ed7947f23b1bb0b66185e1e73913cfc

SHA256
0a4031ab00664cc5e202c8731798800f0475ef76800122cebd71d249655d725f

SHA512
dd03899429c2d542558e30c84a076d7e5dbde5128495954093a7031854c1df68f8ff8eca4c791144937288b084dd261fbe090c4ff9a3e0768e26f0616b474eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprC24C.tmp

Filesize
197KB

MD5
c4281e03dd32290db33319f1ad1fe351

SHA1
9c35cec3adc61b0fbd063453ca82a6a68880f87d

SHA256
8c1a6824ce078ca85456e715f257d35a166bd70fc701d53dc3ed04c315189eb6

SHA512
81389756b7f347efac5ba2d1622d5c4b4f9ce56ec74dc706ec20299fa91e89a2d3ad71775241d08dfbf0cc9f730993c540997e0f4c21877d6c257c2e48ea89ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpress.exe

Filesize
101KB

MD5
8b632bfc3fe653a510cba277c2d699d1

SHA1
d6a57aa17e5eb51297def9bac04e574c1e36d9c7

SHA256
2852680c94a9d68cdab285012d9328a1ceca290db60c9e35155c2bb3e46a41b4

SHA512
b9ea70ed984d3b4a42eceb9f34f222b722c4c1985b79b368d769fe0fd1f19f037ffebe2cf938aa98ed450337836a7469d911848448d99223995f7fb3a9304587

Download Submit
C:\Users\Admin\Downloads\remcos_a.exe

Filesize
429KB

MD5
4912af835a8faefa7f56957d2ef0cb8d

SHA1
1aa3bed30098c6b3355362be9a7a95db5657f48d

SHA256
81f716dfd98e532b59690cc881cfb8894428fd8dcaabdc581d3a87229e06cf13

SHA512
974f83debb4f1f81d7e7687bcf91c3a0ec7f1ded10af7b44599d07ad6ad9ab8a0174def27be737ae49c4596125e02874a2a123468ad89c1ae3ecab44deb8f3aa

Download Submit
C:\Users\Admin\Downloads\remcos_b.exe

Filesize
428KB

MD5
c5f09b7719c8b0fff49750c4207b06b2

SHA1
a4e05827087c2db01d12677bde55079d549271a3

SHA256
254062f88f40324329b91a934ecd2b38355225a18f90e0d6f6588f8e181163b8

SHA512
d69a070d0ef9e937be6c5aba18ae21ba37f6a2c502a1b8d48ae9d088d338f3134b52ec1b920ceec9d2450b59bd90ac37b90b966ac3cabdc4304d83cb2b4742c0

Download Submit
C:\Users\Admin\Downloads\remcos_b.exe

Filesize
195KB

MD5
1108bc0d887de437b7826c80badca6f3

SHA1
aa22b26d848da989b5154a6965ffdd1e0270a061

SHA256
8cd96b7d03ea98b23c5ea74fa4f391732b3f50dd24b244423bec8393fa083ac2

SHA512
46a6102c80f26b6b38120e4a2ed3c1548d412ef32ee27c657012f8e04b699b36167702c5824a75ba696ca3b74db136e453afae21fcdba526b1c20449bd4e3c25

Download Submit
memory/1020-4-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/1020-0-0x0000000000401000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1020-14-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1020-13-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1020-12-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1020-9-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1020-1-0x0000000006790000-0x0000000006791000-memory.dmp

Filesize
4KB

Download
memory/1020-2-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/1020-5-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/1020-6-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/1020-7-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/1020-8-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/1020-3-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/1220-15-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/1220-21-0x00000000084E0000-0x00000000084E1000-memory.dmp

Filesize
4KB

Download
memory/1220-24-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1220-22-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/1220-16-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/1220-17-0x0000000008480000-0x0000000008481000-memory.dmp

Filesize
4KB

Download
memory/1220-18-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/1220-19-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/1220-20-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/1852-170-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1852-169-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-104-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-103-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-113-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-112-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-111-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-102-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1912-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2128-174-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2128-175-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2688-166-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4264-172-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5032-86-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5032-94-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download