remcos | d6f9c8f0d85d3573661cc2223bdc362324d31c811038f65570b2b95ad5760353

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c867b11da5742af948844ca1067af51e.exe
Size

7.5MB
MD5

c867b11da5742af948844ca1067af51e
SHA1

be978c0c697f6d0890e52aec37b70f9c0f66b5da
SHA256

d6f9c8f0d85d3573661cc2223bdc362324d31c811038f65570b2b95ad5760353
SHA512

9022c121f4e0c473104c48cc6ce97929dba39cd819b9c9d7f0658dca94364e5fd27c079a7140be6d93aef425fab68af9f6c88f1e64dfc68a01dbded0074b9105
SSDEEP

196608:+pJhiSM1lFpCBzspCr60mP7AlwQFMazjdbr5O1nT:+pziSMOtO8lw2MGjh5+T

Score

10^/10

remcos syst32 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

Syst32

5.252.153.86:4777

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Log
mouse_option
false
mutex
Sys32-MEVWZR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 2 IoCs

pid	Process
2868	TSConfig.exe
2580	TSConfig.exe

Loads dropped DLL 15 IoCs

pid	Process
2720	c867b11da5742af948844ca1067af51e.exe
2868	TSConfig.exe
2868	TSConfig.exe
2868	TSConfig.exe
2868	TSConfig.exe
2868	TSConfig.exe
2868	TSConfig.exe
2580	TSConfig.exe
2580	TSConfig.exe
2580	TSConfig.exe
2580	TSConfig.exe
2580	TSConfig.exe
588	cmd.exe
588	cmd.exe
2360	Drivertls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2580 set thread context of 588	2580	TSConfig.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c867b11da5742af948844ca1067af51e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Drivertls.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2868	TSConfig.exe
2580	TSConfig.exe
2580	TSConfig.exe
588	cmd.exe
588	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2580	TSConfig.exe
588	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2360	Drivertls.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2868	2720	c867b11da5742af948844ca1067af51e.exe	30
PID 2720 wrote to memory of 2868	2720	c867b11da5742af948844ca1067af51e.exe	30
PID 2720 wrote to memory of 2868	2720	c867b11da5742af948844ca1067af51e.exe	30
PID 2720 wrote to memory of 2868	2720	c867b11da5742af948844ca1067af51e.exe	30
PID 2720 wrote to memory of 2868	2720	c867b11da5742af948844ca1067af51e.exe	30
PID 2720 wrote to memory of 2868	2720	c867b11da5742af948844ca1067af51e.exe	30
PID 2720 wrote to memory of 2868	2720	c867b11da5742af948844ca1067af51e.exe	30
PID 2868 wrote to memory of 2580	2868	TSConfig.exe	31
PID 2868 wrote to memory of 2580	2868	TSConfig.exe	31
PID 2868 wrote to memory of 2580	2868	TSConfig.exe	31
PID 2868 wrote to memory of 2580	2868	TSConfig.exe	31
PID 2868 wrote to memory of 2580	2868	TSConfig.exe	31
PID 2868 wrote to memory of 2580	2868	TSConfig.exe	31
PID 2868 wrote to memory of 2580	2868	TSConfig.exe	31
PID 2580 wrote to memory of 588	2580	TSConfig.exe	32
PID 2580 wrote to memory of 588	2580	TSConfig.exe	32
PID 2580 wrote to memory of 588	2580	TSConfig.exe	32
PID 2580 wrote to memory of 588	2580	TSConfig.exe	32
PID 2580 wrote to memory of 588	2580	TSConfig.exe	32
PID 588 wrote to memory of 2360	588	cmd.exe	34
PID 588 wrote to memory of 2360	588	cmd.exe	34
PID 588 wrote to memory of 2360	588	cmd.exe	34
PID 588 wrote to memory of 2360	588	cmd.exe	34
PID 588 wrote to memory of 2360	588	cmd.exe	34
PID 588 wrote to memory of 2360	588	cmd.exe	34
PID 588 wrote to memory of 2360	588	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c867b11da5742af948844ca1067af51e.exe
"C:\Users\Admin\AppData\Local\Temp\c867b11da5742af948844ca1067af51e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\TSConfig.exe
  "C:\Users\Admin\AppData\Local\Temp\TSConfig.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\ProgramData\Patchoraclev4\TSConfig.exe
    C:\ProgramData\Patchoraclev4\TSConfig.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Users\Admin\AppData\Local\Temp\Drivertls.exe
        
        C:\Users\Admin\AppData\Local\Temp\Drivertls.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Log\logs.dat

Filesize
184B

MD5
8e60803faa0a7e4d784c8380c74f2d5e

SHA1
2857fb09391871cdceefaf96ff735eccb34c3437

SHA256
ef1f0fe7a3d728847954f4b079b188e99c2b3ee5500254dab3d38cc748d92f7e

SHA512
5c30b84ffe03ff0b3a85b53b05cd23f01da85c847a686fd0f1407110e0156bfd79fcae2f480b36a4135577418411a3fe0ff3a2c676475b5cc0b29492f1ef3b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNP_Act_Installer.dll

Filesize
3.2MB

MD5
818abbbd3717505c01e4e8277406af8f

SHA1
4374b855c5a37e89daa37791d1a4f2c635bf66e7

SHA256
bc0acdfb672ad01ad3b658ee51e2ee6523d56ea4bc4c066b390cf9b494e2aa69

SHA512
7c73ec9b15e82964573db1b7d3996677b244b6efa64cab60cefff6d995d3ea3e6e89c1578c5b5a266b964a19336ce5b956a4a4f37be12b4907dbee827b6613b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISUIServices.dll

Filesize
7.1MB

MD5
8ff059505a66e89bcc87dbb93e41ff0d

SHA1
6594bca59b503dcd85071872f598bc442c1afebe

SHA256
37b0f6eb77b5bdc02ace904a0c9dbaba29a0e966f96839bacca52d207815adbd

SHA512
a5df05981f0ae4b16d3934f8525840fe0d219f728ce5dd83073d2503f279cb6cabee47ccd96825efbf12dd0999220cca9460a796024dabb20c95ae3917bf11d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCP140.dll

Filesize
437KB

MD5
dc739066c9d0ca961cba2f320cade28e

SHA1
81ed5f7861e748b90c7ae2d18da80d1409d1fa05

SHA256
74e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55

SHA512
4eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToolkitPro1840vc140U.dll

Filesize
11.4MB

MD5
7a984c997348ddc9a0b763ac78d82030

SHA1
50857f968227fb362080374116c7752ccee5e05a

SHA256
012910abe7f03d2cd161a34c553facbe241fa179be65c01deaf8d78821501b96

SHA512
eab0bba9bad5297c92a111fc2ac932618371b458ea1bab65c1cae15736b70d8567502f738f87dcf81fce853172107d3e8f2eeb101e21c2128b9bb1276715e8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\f12dbad4

Filesize
1.6MB

MD5
a99488d2de20c0590a64f5854651c9ba

SHA1
816103d190c5a6859427d18db883d0166d00155a

SHA256
244072e9e6255229403aaf3e465438b0c910be569e549df7c2800a25ab3f7a93

SHA512
dca2ab9499c8c22b3159d09695d93d49258a3814044c1c5f0cfe747f3c4e2fcfe5e0de819a150957fdebed17f91513df0c79991ce54d0c3982fdc9d920c9a376

Download Submit
C:\Users\Admin\AppData\Local\Temp\fumatory.rpm

Filesize
1.1MB

MD5
e7a01cdf9412e0e04bdd39b9077d3648

SHA1
ad177ad602931df117210b0333aa9abdcec15222

SHA256
7438bb293c57389612521c739ce59bc1aaac9e631dbc5c017fda1d3e0e7e4db3

SHA512
a7921b97af0e30562f4bbc09ff688447eac4d3c60f2bc954bf0a4a72f8975f271ecc8b64cc7e6155257d2af353d07126074416c94cf1520b4d1f6407d5b1d1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfc140u.dll

Filesize
4.6MB

MD5
266c6a0adda7ca07753636b1f8a69f7f

SHA1
996cc22086168cd47a19384117ee61e9eb03f99a

SHA256
3f8176bbc33f75fbcc429800461d84bcdb92d766d968220a9cc31f4cf6987271

SHA512
016c3197a089e68145741a74d6fb2749d45d0760cdb471c9c4efc17b365b0c0dfddd7ca331d5a6fad441485c382b382eab6ed9aca80640a540fed36c6905125c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qasida.swf

Filesize
39KB

MD5
6b29c08211ad5820a7731ac63ca33d3f

SHA1
c4f830fbbb10273cb993e41c6ce624d4d3e734a6

SHA256
e1714ade5fba54092e942519744f8b48d39dfda430df7b55ffd8522462adb9d6

SHA512
9ba40b951714be4778a2a01e8da0454906b0f42747e36cf1f5f8d5a8981af44436693f273530f8df8c40ea1eb610281f69262d102bfcc6fb7c998ad8e3893470

Download Submit
\Users\Admin\AppData\Local\Temp\Drivertls.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
\Users\Admin\AppData\Local\Temp\TSConfig.exe

Filesize
1.5MB

MD5
48c9a0c76b44a5f2729c876085adba4e

SHA1
8a5bee1995153d6069fb322ed23dec2de461f0df

SHA256
b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac

SHA512
75873d0d41e16f5c9c58784f5eff2749f33be720f6f235e9da69c08d688d07c9a879f0fa4e365a172c3c61408c5fdef391b139aca70c3f6560fed3c4a181238d

Download Submit
memory/588-70-0x0000000072FC0000-0x0000000073134000-memory.dmp

Filesize
1.5MB

Download
memory/588-69-0x0000000076FF0000-0x0000000077199000-memory.dmp

Filesize
1.7MB

Download
memory/588-78-0x0000000072FC0000-0x0000000073134000-memory.dmp

Filesize
1.5MB

Download
memory/2360-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-89-0x0000000076FF0000-0x0000000077199000-memory.dmp

Filesize
1.7MB

Download
memory/2360-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2580-65-0x0000000076FF0000-0x0000000077199000-memory.dmp

Filesize
1.7MB

Download
memory/2580-66-0x0000000072FC0000-0x0000000073134000-memory.dmp

Filesize
1.5MB

Download
memory/2580-64-0x0000000072FC0000-0x0000000073134000-memory.dmp

Filesize
1.5MB

Download
memory/2868-35-0x0000000072FE0000-0x0000000073154000-memory.dmp

Filesize
1.5MB

Download
memory/2868-36-0x0000000076FF0000-0x0000000077199000-memory.dmp

Filesize
1.7MB

Download