remcos | dacf76612ec19aa3f80f070321abac8830e376981ccd5ec4eebd1ba017c6e462

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UniCredit__Avviso di Pagamento.pdf.bat.exe
Size

1.2MB
MD5

ee28c3097b0a179bee35c93761526041
SHA1

e0dd7342f2019adb9e4ae74136f6842c14087077
SHA256

dacf76612ec19aa3f80f070321abac8830e376981ccd5ec4eebd1ba017c6e462
SHA512

51572fa32d2b1442c91675a75087a92a14b98af4733ad9a37e936a04e2e77cf0ee1a020f52e1b2e9ad2b3a3f170a888e777e74971828006afe906d328afb062c
SSDEEP

24576:h1sMaPo6C4bNhNu384DvLF3sf7wAHBgD6HjZgoOD6hpwlXfDFo:h1ssCh0847pq7wTD6HjBhpwtFo

Score

10^/10

remcos remotehost execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

204.10.160.230:7983

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-O7QOC3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2656 powershell.exe
2276 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

UniCredit__Avviso di Pagamento.pdf.bat.exe

description pid process target process

PID 2204 set thread context of 2484 2204 UniCredit__Avviso di Pagamento.pdf.bat.exe UniCredit__Avviso di Pagamento.pdf.bat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2588 schtasks.exe

pid	process
2656	powershell.exe
2276	powershell.exe

description	pid	process	target process
PID 2204 set thread context of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe

pid	process
2588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

UniCredit__Avviso di Pagamento.pdf.bat.exepowershell.exepowershell.exe

pid	process
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
2656	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

UniCredit__Avviso di Pagamento.pdf.bat.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2204 UniCredit__Avviso di Pagamento.pdf.bat.exe
Token: SeDebugPrivilege 2276 powershell.exe
Token: SeDebugPrivilege 2656 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

UniCredit__Avviso di Pagamento.pdf.bat.exe

description	pid	process	target process
PID 2204 wrote to memory of 2656	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	powershell.exe
PID 2204 wrote to memory of 2656	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	powershell.exe
PID 2204 wrote to memory of 2656	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	powershell.exe
PID 2204 wrote to memory of 2656	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	powershell.exe
PID 2204 wrote to memory of 2276	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	powershell.exe
PID 2204 wrote to memory of 2276	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	powershell.exe
PID 2204 wrote to memory of 2276	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	powershell.exe
PID 2204 wrote to memory of 2276	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	powershell.exe
PID 2204 wrote to memory of 2588	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	schtasks.exe
PID 2204 wrote to memory of 2588	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	schtasks.exe
PID 2204 wrote to memory of 2588	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	schtasks.exe
PID 2204 wrote to memory of 2588	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	schtasks.exe
PID 2204 wrote to memory of 2468	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2468	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2468	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2468	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe
PID 2204 wrote to memory of 2484	2204	UniCredit__Avviso di Pagamento.pdf.bat.exe	UniCredit__Avviso di Pagamento.pdf.bat.exe

C:\Users\Admin\AppData\Local\Temp\UniCredit__Avviso di Pagamento.pdf.bat.exe
"C:\Users\Admin\AppData\Local\Temp\UniCredit__Avviso di Pagamento.pdf.bat.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\UniCredit__Avviso di Pagamento.pdf.bat.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wTEtBSqxFaPmz.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTEtBSqxFaPmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp88A0.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Users\Admin\AppData\Local\Temp\UniCredit__Avviso di Pagamento.pdf.bat.exe
"C:\Users\Admin\AppData\Local\Temp\UniCredit__Avviso di Pagamento.pdf.bat.exe"
2⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\UniCredit__Avviso di Pagamento.pdf.bat.exe
"C:\Users\Admin\AppData\Local\Temp\UniCredit__Avviso di Pagamento.pdf.bat.exe"
2⤵
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp88A0.tmp
Filesize
1KB

MD5
6960d2710acac5cf3dc7b5bf8e1a7b07

SHA1
184d977d53fc1e7289d85a505ce69c2c4f29eb63

SHA256
037f66e29dfa54b928d68e78fd1b87c7864bc0699c98c3622d80ea4909e6b205

SHA512
c78e1ddfa123cc9c6afff9c4ca035ec67ffce1e1d2ad0e6b0cceed26454c19bbcb7e4361d0c5df907084d40502e4b3f45cb7018cb38ce1895749b4af0739b264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
fb28bff1315760f123f0a3926c3c8362

SHA1
37f3721dd815f22386bdf60e25bdc30bce0f55e3

SHA256
1b6853da75b7c599509ceb56cfa30ffa28e29a4373e88404032f06e390012c05

SHA512
a71a2bc2d984b5ac582dfa7657bd21571091c09e5107f2dc8bcf5715f477ca85bf0f8e595cdabb7c9522b958cad4ad0def4ef08eb74a394940e1a52e33b037a6

Download Submit
memory/2204-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x00000000000D0000-0x0000000000200000-memory.dmp

Filesize
1.2MB

Download
memory/2204-2-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download
memory/2204-3-0x0000000001FA0000-0x0000000001FBA000-memory.dmp

Filesize
104KB

Download
memory/2204-4-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2204-5-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2204-6-0x0000000004F90000-0x000000000508E000-memory.dmp

Filesize
1016KB

Download
memory/2204-7-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/2204-41-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download
memory/2484-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2484-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download