remcos | d6f9c8f0d85d3573661cc2223bdc362324d31c811038f65570b2b95ad5760353

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c867b11da5742af948844ca1067af51e.exe
Size

7.5MB
MD5

c867b11da5742af948844ca1067af51e
SHA1

be978c0c697f6d0890e52aec37b70f9c0f66b5da
SHA256

d6f9c8f0d85d3573661cc2223bdc362324d31c811038f65570b2b95ad5760353
SHA512

9022c121f4e0c473104c48cc6ce97929dba39cd819b9c9d7f0658dca94364e5fd27c079a7140be6d93aef425fab68af9f6c88f1e64dfc68a01dbded0074b9105
SSDEEP

196608:+pJhiSM1lFpCBzspCr60mP7AlwQFMazjdbr5O1nT:+pziSMOtO8lw2MGjh5+T

Score

10^/10

remcos syst32 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

Syst32

5.252.153.86:4777

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Log
mouse_option
false
mutex
Sys32-MEVWZR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	c867b11da5742af948844ca1067af51e.exe

Executes dropped EXE 2 IoCs

pid	Process
1488	TSConfig.exe
4928	TSConfig.exe

Loads dropped DLL 12 IoCs

pid	Process
1488	TSConfig.exe
1488	TSConfig.exe
1488	TSConfig.exe
1488	TSConfig.exe
1488	TSConfig.exe
1488	TSConfig.exe
4928	TSConfig.exe
4928	TSConfig.exe
4928	TSConfig.exe
4928	TSConfig.exe
4928	TSConfig.exe
4328	Drivertls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 4480	4928	TSConfig.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c867b11da5742af948844ca1067af51e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Drivertls.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1488	TSConfig.exe
4928	TSConfig.exe
4928	TSConfig.exe
4480	cmd.exe
4480	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4928	TSConfig.exe
4480	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4328	Drivertls.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 1488	4752	c867b11da5742af948844ca1067af51e.exe	83
PID 4752 wrote to memory of 1488	4752	c867b11da5742af948844ca1067af51e.exe	83
PID 4752 wrote to memory of 1488	4752	c867b11da5742af948844ca1067af51e.exe	83
PID 1488 wrote to memory of 4928	1488	TSConfig.exe	84
PID 1488 wrote to memory of 4928	1488	TSConfig.exe	84
PID 1488 wrote to memory of 4928	1488	TSConfig.exe	84
PID 4928 wrote to memory of 4480	4928	TSConfig.exe	85
PID 4928 wrote to memory of 4480	4928	TSConfig.exe	85
PID 4928 wrote to memory of 4480	4928	TSConfig.exe	85
PID 4928 wrote to memory of 4480	4928	TSConfig.exe	85
PID 4480 wrote to memory of 4328	4480	cmd.exe	100
PID 4480 wrote to memory of 4328	4480	cmd.exe	100
PID 4480 wrote to memory of 4328	4480	cmd.exe	100
PID 4480 wrote to memory of 4328	4480	cmd.exe	100
PID 4480 wrote to memory of 4328	4480	cmd.exe	100
PID 4480 wrote to memory of 4328	4480	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\c867b11da5742af948844ca1067af51e.exe
"C:\Users\Admin\AppData\Local\Temp\c867b11da5742af948844ca1067af51e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\TSConfig.exe
  "C:\Users\Admin\AppData\Local\Temp\TSConfig.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\ProgramData\Patchoraclev4\TSConfig.exe
    C:\ProgramData\Patchoraclev4\TSConfig.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\Drivertls.exe
        
        C:\Users\Admin\AppData\Local\Temp\Drivertls.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Log\logs.dat

Filesize
184B

MD5
d9f9aa16e2de7bee6edf2a362f069077

SHA1
049ba107346a8e603f3e8849e540ca44619d7733

SHA256
d388715035411b069751375a991e04e331d6b3f3ceeaef60ed63e70fff3614a0

SHA512
64ca2cd339ee71308065f53a87bb3d5c9d2e49ef925d4bbdd4f15a41f560e55d875f3f3f56b5fd0a73d79e8dc4b640ecc9b2e9c210b066a6c5e28f7787546378

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drivertls.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNP_Act_Installer.dll

Filesize
3.2MB

MD5
818abbbd3717505c01e4e8277406af8f

SHA1
4374b855c5a37e89daa37791d1a4f2c635bf66e7

SHA256
bc0acdfb672ad01ad3b658ee51e2ee6523d56ea4bc4c066b390cf9b494e2aa69

SHA512
7c73ec9b15e82964573db1b7d3996677b244b6efa64cab60cefff6d995d3ea3e6e89c1578c5b5a266b964a19336ce5b956a4a4f37be12b4907dbee827b6613b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISUIServices.dll

Filesize
7.1MB

MD5
8ff059505a66e89bcc87dbb93e41ff0d

SHA1
6594bca59b503dcd85071872f598bc442c1afebe

SHA256
37b0f6eb77b5bdc02ace904a0c9dbaba29a0e966f96839bacca52d207815adbd

SHA512
a5df05981f0ae4b16d3934f8525840fe0d219f728ce5dd83073d2503f279cb6cabee47ccd96825efbf12dd0999220cca9460a796024dabb20c95ae3917bf11d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSConfig.exe

Filesize
1.5MB

MD5
48c9a0c76b44a5f2729c876085adba4e

SHA1
8a5bee1995153d6069fb322ed23dec2de461f0df

SHA256
b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac

SHA512
75873d0d41e16f5c9c58784f5eff2749f33be720f6f235e9da69c08d688d07c9a879f0fa4e365a172c3c61408c5fdef391b139aca70c3f6560fed3c4a181238d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToolkitPro1840vc140U.dll

Filesize
11.4MB

MD5
7a984c997348ddc9a0b763ac78d82030

SHA1
50857f968227fb362080374116c7752ccee5e05a

SHA256
012910abe7f03d2cd161a34c553facbe241fa179be65c01deaf8d78821501b96

SHA512
eab0bba9bad5297c92a111fc2ac932618371b458ea1bab65c1cae15736b70d8567502f738f87dcf81fce853172107d3e8f2eeb101e21c2128b9bb1276715e8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\c447d980

Filesize
1.6MB

MD5
1f9689212799445cfcfbab537b1fb0c7

SHA1
09d364bcfcf98596b305ad933402ac2c8a21add4

SHA256
a43b9ea66df0f96f54387c0dc293d23b402463aa935e8f49d3ca67e5d550d67f

SHA512
82d03b0785521bad6ffc5e329cca9014013e292072cddd7c676afd63d53d632cfb03fbefb0cc4518929b9e1ecac656f46572867c2188a16816e7603bc81edf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fumatory.rpm

Filesize
1.1MB

MD5
e7a01cdf9412e0e04bdd39b9077d3648

SHA1
ad177ad602931df117210b0333aa9abdcec15222

SHA256
7438bb293c57389612521c739ce59bc1aaac9e631dbc5c017fda1d3e0e7e4db3

SHA512
a7921b97af0e30562f4bbc09ff688447eac4d3c60f2bc954bf0a4a72f8975f271ecc8b64cc7e6155257d2af353d07126074416c94cf1520b4d1f6407d5b1d1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfc140u.dll

Filesize
4.6MB

MD5
266c6a0adda7ca07753636b1f8a69f7f

SHA1
996cc22086168cd47a19384117ee61e9eb03f99a

SHA256
3f8176bbc33f75fbcc429800461d84bcdb92d766d968220a9cc31f4cf6987271

SHA512
016c3197a089e68145741a74d6fb2749d45d0760cdb471c9c4efc17b365b0c0dfddd7ca331d5a6fad441485c382b382eab6ed9aca80640a540fed36c6905125c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

Filesize
437KB

MD5
dc739066c9d0ca961cba2f320cade28e

SHA1
81ed5f7861e748b90c7ae2d18da80d1409d1fa05

SHA256
74e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55

SHA512
4eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qasida.swf

Filesize
39KB

MD5
6b29c08211ad5820a7731ac63ca33d3f

SHA1
c4f830fbbb10273cb993e41c6ce624d4d3e734a6

SHA256
e1714ade5fba54092e942519744f8b48d39dfda430df7b55ffd8522462adb9d6

SHA512
9ba40b951714be4778a2a01e8da0454906b0f42747e36cf1f5f8d5a8981af44436693f273530f8df8c40ea1eb610281f69262d102bfcc6fb7c998ad8e3893470

Download Submit
memory/1488-42-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/1488-41-0x0000000072700000-0x000000007287B000-memory.dmp

Filesize
1.5MB

Download
memory/4328-94-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-103-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-121-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-118-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-115-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-84-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-86-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/4328-87-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-91-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-112-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-109-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-97-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-100-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4328-106-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/4480-73-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/4480-77-0x0000000073AC0000-0x0000000073C3B000-memory.dmp

Filesize
1.5MB

Download
memory/4480-74-0x0000000073AC0000-0x0000000073C3B000-memory.dmp

Filesize
1.5MB

Download
memory/4928-68-0x0000000073AC0000-0x0000000073C3B000-memory.dmp

Filesize
1.5MB

Download
memory/4928-69-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/4928-70-0x0000000073AC0000-0x0000000073C3B000-memory.dmp

Filesize
1.5MB

Download