remcos | 6f212246be3ab7db2cede2e87d8d465261ca8f44a86c7ca90cb8238bafed887f

General

Target

Qyyfrnva_Signed_.exe
Size

652KB
MD5

8f4286a5ec8f3abfb5d4c892f66c7cca
SHA1

3d83c34257b964adae2cba6029a7d4e5b6e2ceaf
SHA256

6f212246be3ab7db2cede2e87d8d465261ca8f44a86c7ca90cb8238bafed887f
SHA512

3df4484b9319aed2a9d936347d28495d37da42a7a105570aa0787ce86efdc0ea82310aa480fc2c4ce3373b8b88a008bd60d6f7ad40d90b4ca62f7e6654173bfd

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Qyyfrnva_Signed_.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qyyfr = "C:\\Users\\Admin\\rfyyQ.url"	Qyyfrnva_Signed_.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Qyyfrnva_Signed_.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Qyyfrnva_Signed_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Qyyfrnva_Signed_.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

532 ieinstal.exe

pid	process
532	ieinstal.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Qyyfrnva_Signed_.exe

description	pid	process	target process
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe
PID 1908 wrote to memory of 532	1908	Qyyfrnva_Signed_.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\Qyyfrnva_Signed_.exe
"C:\Users\Admin\AppData\Local\Temp\Qyyfrnva_Signed_.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1908

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-3-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/532-4-0x0000000000000000-mapping.dmp

Download
memory/532-5-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/532-7-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/532-8-0x0000000076271000-0x0000000076273000-memory.dmp

Filesize
8KB

Download
memory/532-13-0x0000000010540000-0x0000000010564000-memory.dmp

Filesize
144KB

Download
memory/532-14-0x00000000001D0000-0x00000000001F2000-memory.dmp

Filesize
136KB

Download
memory/1908-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads