remcos | 3ccef307ca32975ddbf1b50130830cf8d077a796c61af77e77855f2f4766cac4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
09/02/2025, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S3TurboTool_v1.53/S3TurboTool.exe
Size

3.0MB
MD5

722991dd18056a29c79c04868a03d81d
SHA1

320a236cca872b66bda713a1c6e8690f95bbb09b
SHA256

f57d195a651270f06b6ba5c21466401c0c3d035e21d7d217ab9268ea45d9f19b
SHA512

adcf0a8ec44e1558e3d6067126350c1efe947400f311405c84f37b6d7de83738a42ddf59c1f8178f68d9c45269bb2f95dd638037643a5521206b91e6fb2ec0eb
SSDEEP

49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338n:t92bz2Eb6pd7B6bAGx7n333k

Score

10^/10

remcos 1new discovery rat

Malware Config

Extracted

Family

remcos

Botnet

1NEW

5.45.67.76:1212

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
NoTuchengmYzfiFifFile-JPS74W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Downloads MZ/PE file 1 IoCs

flow	pid	Process
33	2068	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	S3TurboTool.exe

Executes dropped EXE 3 IoCs

pid	Process
212	S3TurboTool.exe
2340	vcpkgsrv.exe
2608	vcpkgsrv.exe

Loads dropped DLL 8 IoCs

pid	Process
2340	vcpkgsrv.exe
2340	vcpkgsrv.exe
2340	vcpkgsrv.exe
2340	vcpkgsrv.exe
2608	vcpkgsrv.exe
2608	vcpkgsrv.exe
2608	vcpkgsrv.exe
2608	vcpkgsrv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 460	2608	vcpkgsrv.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S3TurboTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S3TurboTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S3TurboTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcpkgsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcpkgsrv.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5032	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5008	S3TurboTool.exe
5008	S3TurboTool.exe
2340	vcpkgsrv.exe
2608	vcpkgsrv.exe
2608	vcpkgsrv.exe
460	cmd.exe
460	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2608	vcpkgsrv.exe
460	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5008	S3TurboTool.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 5008	544	S3TurboTool.exe	88
PID 544 wrote to memory of 5008	544	S3TurboTool.exe	88
PID 544 wrote to memory of 5008	544	S3TurboTool.exe	88
PID 5008 wrote to memory of 212	5008	S3TurboTool.exe	92
PID 5008 wrote to memory of 212	5008	S3TurboTool.exe	92
PID 5008 wrote to memory of 212	5008	S3TurboTool.exe	92
PID 5008 wrote to memory of 2340	5008	S3TurboTool.exe	93
PID 5008 wrote to memory of 2340	5008	S3TurboTool.exe	93
PID 5008 wrote to memory of 2340	5008	S3TurboTool.exe	93
PID 2340 wrote to memory of 2608	2340	vcpkgsrv.exe	94
PID 2340 wrote to memory of 2608	2340	vcpkgsrv.exe	94
PID 2340 wrote to memory of 2608	2340	vcpkgsrv.exe	94
PID 2608 wrote to memory of 460	2608	vcpkgsrv.exe	95
PID 2608 wrote to memory of 460	2608	vcpkgsrv.exe	95
PID 2608 wrote to memory of 460	2608	vcpkgsrv.exe	95
PID 2608 wrote to memory of 460	2608	vcpkgsrv.exe	95
PID 460 wrote to memory of 1612	460	cmd.exe	104
PID 460 wrote to memory of 1612	460	cmd.exe	104
PID 460 wrote to memory of 1612	460	cmd.exe	104
PID 460 wrote to memory of 1612	460	cmd.exe	104
PID 460 wrote to memory of 1612	460	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\S3TurboTool_v1.53\S3TurboTool.exe
"C:\Users\Admin\AppData\Local\Temp\S3TurboTool_v1.53\S3TurboTool.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\S3TurboTool_v1.53\S3TurboTool.exe
  "C:\Users\Admin\AppData\Local\Temp\S3TurboTool_v1.53\S3TurboTool.exe" /VERYSILENT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Roaming\S3TurboTool\S3TurboTool.exe
    "C:\Users\Admin\AppData\Roaming\S3TurboTool\S3TurboTool.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:212
- - C:\Users\Admin\AppData\Roaming\vcpkgsrv.exe
    "C:\Users\Admin\AppData\Roaming\vcpkgsrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Roaming\MVCheck\vcpkgsrv.exe
      C:\Users\Admin\AppData\Roaming\MVCheck\vcpkgsrv.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:460
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1612

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkNGREZCNUYtODFENi00QURELUI3MjMtM0Y1RDE1MDlCNURFfSIgdXNlcmlkPSJ7OEM1NzUxQjctM0FCOC00QTI0LUFCN0YtOTg1QkVBM0ZEQTg5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NUVCRjVENzEtOEZCMi00NzUyLThGRTItREYyOUFFQ0ZBMzkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ0OTciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNjkzODEzMjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDQ3NzYxNjc2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d42179c

Filesize
1.2MB

MD5
85a4a2ed0e42587a5f591c44265f30e1

SHA1
b2a6d3d8d61b20b9368aeea06cc4246068ad737d

SHA256
830978f1050fac8f20c3dd75fa52dfb7e8d1b9fc0860665f20a78214bc216aa5

SHA512
dde231a2a4258b068cf81f253aea3d11eeafb465db0a4d8ee119d69b31c04c8f5f0e32b31e8cd66fd42496f0db74305e2d5c09e7e0d6dcdeaa555931407e5f77

Download Submit
C:\Users\Admin\AppData\Roaming\S3TurboTool\S3TurboTool.exe

Filesize
350KB

MD5
461dd72d19a3857f170abab8837d3021

SHA1
3a7ab3e60f7fbc70bb582aa0f740b364ba730928

SHA256
eaeacd165cf83cb0659bc711d2d6031ae5d2b56843bc721a263f8b0f91993363

SHA512
65dcd2b6ac7d3b5bbce7b69dd4a085da4a62ec6a68b8f17a67d1663b584964fe279194333a90e4c52dae0dabc6f8f83ecb337d2f6a559259b1c94f315673affe

Download Submit
C:\Users\Admin\AppData\Roaming\VCRUNTIME140.dll

Filesize
88KB

MD5
984c36e57e47581e267151aca04e9580

SHA1
aa54e9133ba3ed675f9b5255a515780438163ae1

SHA256
e0850ad7c2431f822359e129c85b708373759a1aaadb70b3740642ea44345a04

SHA512
9c8ce4e86173066ab8584a08aa1449f36808f0abd6de01a86f83914a44a8b07b31266c1f38ec0cd46faabf819ac6e1c74e29d5b8b2163ac5d9e1797df8282fdf

Download Submit
C:\Users\Admin\AppData\Roaming\airstrip.eps

Filesize
947KB

MD5
82684045b798a2b946c54d0f07182760

SHA1
350bca14af88bdb6ac9fe2a2cb4798bc03d9fa78

SHA256
1daa6e80920b7f3d9eb5375b064467330b6427fb1dc5256282c43733bf96a601

SHA512
fb7687cff30f34d4f22eef91d5543519e92c8b42e5743ee71d6ab43fc383c144a6e4f45b0863e65b3602019ba322a5b2bcdfa9ce13240e7ca208ab1021bbca32

Download Submit
C:\Users\Admin\AppData\Roaming\cassoulet.pkg

Filesize
55KB

MD5
ac65af3eb9bada3d75d7f2c9f86d8273

SHA1
f4b75c457b32bba5352dca361ef3c477ff0b5c23

SHA256
e68bce3f61193576d743fcd7f4cf6ce98ca57b0e3db3ca2bc46d41ccf0d5b9a9

SHA512
1bbd5ac6fdad7a3305598a37235b32cb8c85282fe2a746b1dd5b4e63f06d1a10ed31972ee614d888e22b431dc37a2d2043ed98d879300bc90d60ea7e9feb1094

Download Submit
C:\Users\Admin\AppData\Roaming\concrt140.dll

Filesize
254KB

MD5
f36dae6ea00f102b60a5011af0732123

SHA1
06fabdbf1fa14b5a637716f9f7a28c95ea4a8661

SHA256
0a3894dd420ed6b4c7ebbde463dbbde69cdb032e290b1c86c21ccdaa4da95526

SHA512
c585e25ac9d733ca82d36d4cee0fa5f7d34a0455c359e010c501d1474c612bc73429093ba302ae14222d7e3a89d5b11777529b3005c7c0966aff06c92c7cce12

Download Submit
C:\Users\Admin\AppData\Roaming\cpfe.dll

Filesize
4.9MB

MD5
eac01f58e7f60c7d40db53b061bc1346

SHA1
a2c2c49171dd862e2d9ac3a8b845dfa89dcce91e

SHA256
c93eb39b1042b83c46816c9558e865f14af96f972730626e81d7eb53b8045eb0

SHA512
242e9829aa779bfbd9fa46f928fc1dbbac3b991a951bac12e809159f2eecba229a7e231c72e6fa95462b033505301d8906110fc003577f239e0d5bd4637ba1ba

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp140.dll

Filesize
438KB

MD5
cdae969102e88f6704d853f9521eedd2

SHA1
3d9a57652a3634cb9b5a83c973c1c77b30c60bf4

SHA256
4ad3de3443d7658f74c978e7eb04730e3d812bc592fee47be4e6348d1fb4814e

SHA512
6714f7886ed21a97a3d70e8a55637f0d0e6d2c43ffd433e7f9c38c100ada99c6aaf136135b5fa6b77483987e34f4c57086c574309b798512cd668c54f845ec49

Download Submit
C:\Users\Admin\AppData\Roaming\vcpkgsrv.exe

Filesize
1.4MB

MD5
38901633c833cba7f682472ced0dbe4b

SHA1
0c11a1ac834d2b270ba60f3605109933ca11a7f0

SHA256
a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089

SHA512
70d71197c68c9a92883c482aee76978e2a01e785be6fb3b6082369e25d991d3e03d8467e11d87493e54f5a3dc4bcd59fa588f0fabe5f6fdcf3361de95cb471c1

Download Submit
memory/212-40-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/212-41-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/212-39-0x0000000000770000-0x00000000007CC000-memory.dmp

Filesize
368KB

Download
memory/212-42-0x0000000005070000-0x000000000507A000-memory.dmp

Filesize
40KB

Download
memory/460-74-0x00000000739B0000-0x0000000073B2B000-memory.dmp

Filesize
1.5MB

Download
memory/460-72-0x00007FFE7DD70000-0x00007FFE7DF65000-memory.dmp

Filesize
2.0MB

Download
memory/544-0-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/544-3-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/1612-82-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-85-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-90-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-89-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-88-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-87-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-86-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-77-0x00007FFE7DD70000-0x00007FFE7DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1612-78-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-81-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-84-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1612-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2340-45-0x00000000739B0000-0x0000000073B2B000-memory.dmp

Filesize
1.5MB

Download
memory/2340-46-0x00007FFE7DD70000-0x00007FFE7DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2608-67-0x00000000739B0000-0x0000000073B2B000-memory.dmp

Filesize
1.5MB

Download
memory/2608-69-0x00000000739B0000-0x0000000073B2B000-memory.dmp

Filesize
1.5MB

Download
memory/2608-68-0x00007FFE7DD70000-0x00007FFE7DF65000-memory.dmp

Filesize
2.0MB

Download
memory/5008-5-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/5008-38-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download