remcos | c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cac

Analysis

max time kernel
78s
max time network
16s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/02/2025, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
Size

372KB
MD5

b16d020687ea6e48b63a10bc3cfda530
SHA1

98860ab5a9d419dfe4f1420e693e58380814ebfd
SHA256

c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cac
SHA512

14d174b7646e8e661f31afb97b116f7803943f6fc52e0c554ff7e86fdcf0fa57a1912acefa612b9eed8d789f18529e53705feba7e22c972b4c11b6ad7a995539
SSDEEP

6144:tPdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhi6:t1qQx+H2i+8LBNbdypazCXY

Score

10^/10

remcos tino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5S9O07
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 4 IoCs

pid	Process
1536	hab.exe
2752	hab.exe
2684	remcos.exe
2700	remcos.exe

Loads dropped DLL 5 IoCs

pid	Process
2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
1536	hab.exe
3044	cmd.exe
3044	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 2544	108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	31
PID 1536 set thread context of 2752	1536	hab.exe	33
PID 2684 set thread context of 2700	2684	remcos.exe	38

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
File opened for modification	C:\Windows\win.ini	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
File opened for modification	C:\Windows\win.ini	hab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
1536	hab.exe
1536	hab.exe
2752	hab.exe
2752	hab.exe
2684	remcos.exe
2684	remcos.exe
2700	remcos.exe
2700	remcos.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
1536	hab.exe
1536	hab.exe
2752	hab.exe
2752	hab.exe
2684	remcos.exe
2684	remcos.exe
2700	remcos.exe
2700	remcos.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
1536	hab.exe
2752	hab.exe
2684	remcos.exe
2700	remcos.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2544	108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	31
PID 108 wrote to memory of 2544	108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	31
PID 108 wrote to memory of 2544	108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	31
PID 108 wrote to memory of 2544	108	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	31
PID 2544 wrote to memory of 1536	2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	32
PID 2544 wrote to memory of 1536	2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	32
PID 2544 wrote to memory of 1536	2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	32
PID 2544 wrote to memory of 1536	2544	c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe	32
PID 1536 wrote to memory of 2752	1536	hab.exe	33
PID 1536 wrote to memory of 2752	1536	hab.exe	33
PID 1536 wrote to memory of 2752	1536	hab.exe	33
PID 1536 wrote to memory of 2752	1536	hab.exe	33
PID 2752 wrote to memory of 3024	2752	hab.exe	34
PID 2752 wrote to memory of 3024	2752	hab.exe	34
PID 2752 wrote to memory of 3024	2752	hab.exe	34
PID 2752 wrote to memory of 3024	2752	hab.exe	34
PID 3024 wrote to memory of 3044	3024	WScript.exe	35
PID 3024 wrote to memory of 3044	3024	WScript.exe	35
PID 3024 wrote to memory of 3044	3024	WScript.exe	35
PID 3024 wrote to memory of 3044	3024	WScript.exe	35
PID 3044 wrote to memory of 2684	3044	cmd.exe	37
PID 3044 wrote to memory of 2684	3044	cmd.exe	37
PID 3044 wrote to memory of 2684	3044	cmd.exe	37
PID 3044 wrote to memory of 2684	3044	cmd.exe	37
PID 2684 wrote to memory of 2700	2684	remcos.exe	38
PID 2684 wrote to memory of 2700	2684	remcos.exe	38
PID 2684 wrote to memory of 2700	2684	remcos.exe	38
PID 2684 wrote to memory of 2700	2684	remcos.exe	38

C:\Users\Admin\AppData\Local\Temp\c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
"C:\Users\Admin\AppData\Local\Temp\c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe
  "C:\Users\Admin\AppData\Local\Temp\c7d68cf6632795eacc5b7012357f46c24a080df1229bfcd4acd4166092b35cacN.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8416d670e04cc444764d653f5e9d38cf

SHA1
ebffd2839a3eeaf6cead731dd3ad6570bd084cb2

SHA256
252c558a195e506859236428673e9daac0e78b3c56ac16050e9aebeb8b49bcff

SHA512
9e77568f9bddb86129cb98aa3bcb6859324c7af720ce7a6cb59216b32779b1b80219de52ae2e0c0e3662703db098c71205c96ddbcc82959a93625eb0a9f2d6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
536B

MD5
b4118bddcc9fe0ae73396b2b1b58c970

SHA1
23afa06fa78bbcc9c11e8549681fd4956f9d6c45

SHA256
e5d5005f7c9fdada426273f14e2ebe328b84f9161e80acc1396dadbe9897e98f

SHA512
fdc29fb8fafb990e52487b9ec22140dcbc8c684efa53da41e348584c623fff1a7ce1a9b3deaccdb25867479b393d52d199c8f09cb365e6c84e5980f6d4285b67

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
memory/108-5-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/108-13-0x00000000774D0000-0x00000000775A6000-memory.dmp

Filesize
856KB

Download
memory/108-12-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/108-4-0x00000000772E1000-0x00000000773E2000-memory.dmp

Filesize
1.0MB

Download
memory/108-2-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2544-14-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/2752-36-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2752-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2752-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads