remcos | 8c3c62aafa4ff3a976150dce366c39675fdeceb96362d9071acfd37959770d66

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UHUH45EDRFQ.exe
Size

1.2MB
MD5

be85e3d9a67b0170a11edb287f01aa6f
SHA1

8111cff9ec9d729f477dc77299fcbb63ec74553a
SHA256

8c3c62aafa4ff3a976150dce366c39675fdeceb96362d9071acfd37959770d66
SHA512

6bccf15b3472157d3baef8a713854c8a8706e418a66cf054d11abca52ac416e5bfa247b0b9d373fbed07c77aab149f7a0a57c2376d0e79ab5000e1ac3d258cc0
SSDEEP

12288:m8DE8GILjWLWgwJJCFGNqx+nHx1VGNfH81pectJgCcB0oi83LSrXBAtz5SEFJCyZ:LcwJJCUsGGNfKOxi87SrRqzHF/

Score

10^/10

remcos revolt execution rat

Malware Config

Extracted

Family

remcos

Botnet

REVOLT

94.156.69.93:2973

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HKC0PV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1880 powershell.exe
2616 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

UHUH45EDRFQ.exe

description pid process target process

PID 2964 set thread context of 1500 2964 UHUH45EDRFQ.exe UHUH45EDRFQ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2632 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

UHUH45EDRFQ.exepowershell.exepowershell.exe

pid process

2964 UHUH45EDRFQ.exe
2964 UHUH45EDRFQ.exe
2616 powershell.exe
1880 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

UHUH45EDRFQ.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2964 UHUH45EDRFQ.exe
Token: SeDebugPrivilege 2616 powershell.exe
Token: SeDebugPrivilege 1880 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UHUH45EDRFQ.exe

pid process

1500 UHUH45EDRFQ.exe

pid	process
1880	powershell.exe
2616	powershell.exe

description	pid	process	target process
PID 2964 set thread context of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe

pid	process
2632	schtasks.exe

pid	process
2964	UHUH45EDRFQ.exe
2964	UHUH45EDRFQ.exe
2616	powershell.exe
1880	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2964	UHUH45EDRFQ.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe

pid	process
1500	UHUH45EDRFQ.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

UHUH45EDRFQ.exe

description	pid	process	target process
PID 2964 wrote to memory of 1880	2964	UHUH45EDRFQ.exe	powershell.exe
PID 2964 wrote to memory of 1880	2964	UHUH45EDRFQ.exe	powershell.exe
PID 2964 wrote to memory of 1880	2964	UHUH45EDRFQ.exe	powershell.exe
PID 2964 wrote to memory of 1880	2964	UHUH45EDRFQ.exe	powershell.exe
PID 2964 wrote to memory of 2616	2964	UHUH45EDRFQ.exe	powershell.exe
PID 2964 wrote to memory of 2616	2964	UHUH45EDRFQ.exe	powershell.exe
PID 2964 wrote to memory of 2616	2964	UHUH45EDRFQ.exe	powershell.exe
PID 2964 wrote to memory of 2616	2964	UHUH45EDRFQ.exe	powershell.exe
PID 2964 wrote to memory of 2632	2964	UHUH45EDRFQ.exe	schtasks.exe
PID 2964 wrote to memory of 2632	2964	UHUH45EDRFQ.exe	schtasks.exe
PID 2964 wrote to memory of 2632	2964	UHUH45EDRFQ.exe	schtasks.exe
PID 2964 wrote to memory of 2632	2964	UHUH45EDRFQ.exe	schtasks.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe
PID 2964 wrote to memory of 1500	2964	UHUH45EDRFQ.exe	UHUH45EDRFQ.exe

C:\Users\Admin\AppData\Local\Temp\UHUH45EDRFQ.exe
"C:\Users\Admin\AppData\Local\Temp\UHUH45EDRFQ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\UHUH45EDRFQ.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qxjFpV.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qxjFpV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C82.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Users\Admin\AppData\Local\Temp\UHUH45EDRFQ.exe
"C:\Users\Admin\AppData\Local\Temp\UHUH45EDRFQ.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
4bccf726b5ec343ea61603effbe9dae7

SHA1
1f46c1fe25e1572b44d2b1050238ad0d63f43824

SHA256
28ef14321171bd5d0ad31f36f5de0cf060f7827e9fe199bad6564865d22e5430

SHA512
6e2609da1cd3ad9e1c5d03c575525e72c35c13c8ccbad14449adeb4b3f837835949a720309f29903bf5f64ed7391ea3e41352e1fe6ffff0fc0ef3024ec62ff1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C82.tmp
Filesize
1KB

MD5
3726ee97c82badda7e699c481e716494

SHA1
c4d06d1d729afe779b175b04a10bdb1f7a73ea99

SHA256
acfd5e5b743054d49dace7b609c90b6d934a4277810824e2e9fea522ded89dce

SHA512
34e04fdafd1fc717b729d81ac321b00982c16df4051480980146f4b586de96dfaff5f46b9015f43fb28b4c59a9c4e19e88383c4180bd97d8003dbcfad17471a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
67054136a8882c5520ea61fedc43e2fb

SHA1
f8c017de0380943e62135c26d3388dc5bc8a7db7

SHA256
ad8447239e56411098394b714fb0c7369e86dd2e6700a18be926d7306ef68a19

SHA512
516b72ad3b75a0ef7a9f91b47763380b5c945b77bf9455dae3535728fda7a4dc1c6e8f2f47e441202e5bc5e362e6f5e8f6f801e2e2f897281b4d10315636c5b8

Download Submit
memory/1500-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1500-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2964-1-0x00000000010C0000-0x00000000011F0000-memory.dmp

Filesize
1.2MB

Download
memory/2964-4-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2964-42-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-3-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2964-0-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/2964-2-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-5-0x0000000005370000-0x0000000005430000-memory.dmp

Filesize
768KB

Download