remcos | 99da4f8d4791d9ce9f5bd739c63773bc14f19e971b825a80458a0e748a688da8

Analysis

max time kernel
298s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2025, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTIFICACION JURIDICA/NOTIFICACION JURIDICA FISCAL POR ABUSO DE CONFIANZA.js
Size

3.7MB
MD5

227a0b4511190f239ad8a6f1ec17bf4d
SHA1

d431266d6bf66c619f8b0f7e5cd8df04cdd24bf2
SHA256

c65ee21bdb16755d9ccb650e501f9f4af4ce795347c91b3645ffa71965412a5f
SHA512

338fd098c94625589547fdc50b126a5c95595fbc5f379c6a3ca9d646f35d4f002eb4c01be0fd7f48ebecbbcfb8ac7d2775dcfb6ee48abbfe79da61490538c29b
SSDEEP

384:TnLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLD:PvvvvvvvvvvvvvvvvvvD

Score

10^/10

remcos 2025 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

2025

masterrechargeel.kozow.com:6565

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FI6YA9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	4248	wscript.exe
7	2068	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1316	CiscoCollabHost.exe
4636	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2068	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe
1316	CiscoCollabHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 2068	4248	wscript.exe	83
PID 4248 wrote to memory of 2068	4248	wscript.exe	83
PID 2068 wrote to memory of 1316	2068	powershell.exe	88
PID 2068 wrote to memory of 1316	2068	powershell.exe	88
PID 1316 wrote to memory of 4052	1316	CiscoCollabHost.exe	94
PID 1316 wrote to memory of 4052	1316	CiscoCollabHost.exe	94
PID 4052 wrote to memory of 1584	4052	cmd.exe	96
PID 4052 wrote to memory of 1584	4052	cmd.exe	96
PID 1316 wrote to memory of 4636	1316	CiscoCollabHost.exe	97
PID 1316 wrote to memory of 4636	1316	CiscoCollabHost.exe	97
PID 1316 wrote to memory of 4636	1316	CiscoCollabHost.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\NOTIFICACION JURIDICA\NOTIFICACION JURIDICA FISCAL POR ABUSO DE CONFIANZA.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoCollabHost.exe
    "C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoCollabHost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn "Yscu4QXOumPMgkVtT" /tr "C:\Users\Admin\AppData\Roaming\CiscoCollabHost.exe" /sc onlogon /rl highest /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "Yscu4QXOumPMgkVtT" /tr "C:\Users\Admin\AppData\Roaming\CiscoCollabHost.exe" /sc onlogon /rl highest /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoCollabHost.exe

Filesize
121KB

MD5
9c521a90653df5d1efbd0cea12318863

SHA1
ec2afaf10b78dabfead9e9e485d454789c244188

SHA256
85bcfc9de06bd0751245ad882f7e2141f340cdedefcaefb8deabbc0792088a58

SHA512
d1bbb5e07e7df5fe6da9786ecee06c0dfd9e46067de48a139323aa045f81139b78404c4f3f77b1f6f58c3b11d1edf88d0c06ad42fcf7482436367f2444e6152e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoSparkLauncher.dll

Filesize
2.6MB

MD5
e2e01305e938ea378a88658d81c0917f

SHA1
6b3dc7e13347f6fadadc2dbac7d3a3927d9e2aa6

SHA256
29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989

SHA512
5620ea58d2a7da0fe5d352ea1fe82e76ed84c31b2ae97b28a3ab3b25268f21c0a8eef8ca7baa05ab0f2c80a8125fc7e2441065eda11259b1f636be7b3d6c202d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extracted\VERSION.dll

Filesize
6.4MB

MD5
f422d060f14e7dc67f89030644d0eab5

SHA1
088317ad52c714ecac114dff31a05f1e5a45e351

SHA256
602be2353485b1ed7f60e6803141ea1b43441c92755405737c2bec754b0b6178

SHA512
fa5a411c603eebcb98a83c93a5128b152205402feec2d113139db285cdc2a58e180eade94a3ea8b70d14885ac973b1f454302379ce6e100a2dac583c475a23c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrfo543r.lw2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
481KB

MD5
3a2b3c0c0e1dd3e659e5828e3cd3d3b0

SHA1
afb8d4b22e1d9753246917f7638e4b1a5e659f4c

SHA256
383f946dfde5e00c9191421b48433bda4e42bad71589893b89ced7efabb06ad8

SHA512
87e948901e42ef331e77b62b61f3721a9a5f4e982159391a55097214fff1579c3ead289c08915dc9d953769012b7c4b799abc36c2d7c05facd436835c9c1a2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.ps1

Filesize
1KB

MD5
e8902879a8b704e7731cccd432bb7558

SHA1
4ddd7e7dce83a8f638cd6aeedb81ea991b4b768b

SHA256
e3eddbc46654a3e5dfe85188e887d0f6b04473543dfe7befd07af04b900cd78b

SHA512
0f3b33bffe327657c003c7d5a28c1e43523deeee16f6146312f2eaf33de9b7ebd873a76cd581010dcc9e31068578665d28dbc85aba6ac6677d6a409c7622b68a

Download Submit
memory/1316-39-0x0000000000400000-0x00000000009A4000-memory.dmp

Filesize
5.6MB

Download
memory/1316-59-0x0000000068840000-0x0000000068EB8000-memory.dmp

Filesize
6.5MB

Download
memory/2068-15-0x00007FF8585D3000-0x00007FF8585D5000-memory.dmp

Filesize
8KB

Download
memory/2068-16-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

Filesize
10.8MB

Download
memory/2068-17-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

Filesize
10.8MB

Download
memory/2068-19-0x000001D57C970000-0x000001D57C97A000-memory.dmp

Filesize
40KB

Download
memory/2068-20-0x000001D57C9A0000-0x000001D57C9B2000-memory.dmp

Filesize
72KB

Download
memory/2068-14-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

Filesize
10.8MB

Download
memory/2068-1-0x00007FF8585D3000-0x00007FF8585D5000-memory.dmp

Filesize
8KB

Download
memory/2068-12-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

Filesize
10.8MB

Download
memory/2068-37-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

Filesize
10.8MB

Download
memory/2068-7-0x000001D57C630000-0x000001D57C652000-memory.dmp

Filesize
136KB

Download