remcos | bfe88e4229fb197c1b5d8791f068da0f7358b546df7325ec2e266f80a92bdb9b

General

Target

Authorization letter formatducsigned contract.js
Size

236KB
MD5

c9c780c8c5104c5b0dbabe46bcc3e0b7
SHA1

e1ed4e375a527e0804a9d0bdd8010b4508e80747
SHA256

bfe88e4229fb197c1b5d8791f068da0f7358b546df7325ec2e266f80a92bdb9b
SHA512

a03ec6cb5567d3646d46348c19a250665742b5a4a59f376092fb9d53f7d2d7ab1b3f878948ee84d0d95cbba79e67788de441e38381eb13e8cd65e9b7312d6184

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

umuchu.hopto.org:2405

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

DISABLEDVPN.exeremcos.exe

pid process

1176 DISABLEDVPN.exe
1532 remcos.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

624 cmd.exe
624 cmd.exe

pid	process
1176	DISABLEDVPN.exe
1532	remcos.exe

pid	process
624	cmd.exe
624	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DISABLEDVPN.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	DISABLEDVPN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	DISABLEDVPN.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1532 remcos.exe

pid	process
1532	remcos.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

wscript.exeDISABLEDVPN.exeWScript.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 1176	1632	wscript.exe	DISABLEDVPN.exe
PID 1632 wrote to memory of 1176	1632	wscript.exe	DISABLEDVPN.exe
PID 1632 wrote to memory of 1176	1632	wscript.exe	DISABLEDVPN.exe
PID 1632 wrote to memory of 1176	1632	wscript.exe	DISABLEDVPN.exe
PID 1176 wrote to memory of 1328	1176	DISABLEDVPN.exe	WScript.exe
PID 1176 wrote to memory of 1328	1176	DISABLEDVPN.exe	WScript.exe
PID 1176 wrote to memory of 1328	1176	DISABLEDVPN.exe	WScript.exe
PID 1176 wrote to memory of 1328	1176	DISABLEDVPN.exe	WScript.exe
PID 1328 wrote to memory of 624	1328	WScript.exe	cmd.exe
PID 1328 wrote to memory of 624	1328	WScript.exe	cmd.exe
PID 1328 wrote to memory of 624	1328	WScript.exe	cmd.exe
PID 1328 wrote to memory of 624	1328	WScript.exe	cmd.exe
PID 624 wrote to memory of 1532	624	cmd.exe	remcos.exe
PID 624 wrote to memory of 1532	624	cmd.exe	remcos.exe
PID 624 wrote to memory of 1532	624	cmd.exe	remcos.exe
PID 624 wrote to memory of 1532	624	cmd.exe	remcos.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Authorization letter formatducsigned contract.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\DISABLEDVPN.exe
"C:\Users\Admin\AppData\Local\Temp\DISABLEDVPN.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DISABLEDVPN.exe

MD5
c52c394b4809ed8c364bfd81195066ca

SHA1
859a4a335671280bcf7910c8a6765ea1295ecd58

SHA256
217ad68c7c9c04742b12718dbdf1b9c43ec58aeee17963d811bf36576b43d299

SHA512
af7eb9936266325e24266e3d9d9b00457ea4bdb14b7333c924657a6244d0b4647a3d6f93578cff4d935773f02951889cc1a1581eefe5a831fc2511b667717255

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISABLEDVPN.exe

MD5
c52c394b4809ed8c364bfd81195066ca

SHA1
859a4a335671280bcf7910c8a6765ea1295ecd58

SHA256
217ad68c7c9c04742b12718dbdf1b9c43ec58aeee17963d811bf36576b43d299

SHA512
af7eb9936266325e24266e3d9d9b00457ea4bdb14b7333c924657a6244d0b4647a3d6f93578cff4d935773f02951889cc1a1581eefe5a831fc2511b667717255

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
c52c394b4809ed8c364bfd81195066ca

SHA1
859a4a335671280bcf7910c8a6765ea1295ecd58

SHA256
217ad68c7c9c04742b12718dbdf1b9c43ec58aeee17963d811bf36576b43d299

SHA512
af7eb9936266325e24266e3d9d9b00457ea4bdb14b7333c924657a6244d0b4647a3d6f93578cff4d935773f02951889cc1a1581eefe5a831fc2511b667717255

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
c52c394b4809ed8c364bfd81195066ca

SHA1
859a4a335671280bcf7910c8a6765ea1295ecd58

SHA256
217ad68c7c9c04742b12718dbdf1b9c43ec58aeee17963d811bf36576b43d299

SHA512
af7eb9936266325e24266e3d9d9b00457ea4bdb14b7333c924657a6244d0b4647a3d6f93578cff4d935773f02951889cc1a1581eefe5a831fc2511b667717255

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
c52c394b4809ed8c364bfd81195066ca

SHA1
859a4a335671280bcf7910c8a6765ea1295ecd58

SHA256
217ad68c7c9c04742b12718dbdf1b9c43ec58aeee17963d811bf36576b43d299

SHA512
af7eb9936266325e24266e3d9d9b00457ea4bdb14b7333c924657a6244d0b4647a3d6f93578cff4d935773f02951889cc1a1581eefe5a831fc2511b667717255

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
c52c394b4809ed8c364bfd81195066ca

SHA1
859a4a335671280bcf7910c8a6765ea1295ecd58

SHA256
217ad68c7c9c04742b12718dbdf1b9c43ec58aeee17963d811bf36576b43d299

SHA512
af7eb9936266325e24266e3d9d9b00457ea4bdb14b7333c924657a6244d0b4647a3d6f93578cff4d935773f02951889cc1a1581eefe5a831fc2511b667717255

Download Submit
memory/624-67-0x0000000000000000-mapping.dmp

Download
memory/1176-60-0x0000000000000000-mapping.dmp

Download
memory/1176-62-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1328-64-0x0000000000000000-mapping.dmp

Download
memory/1532-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing