remcos | 7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30

General

Target

Nuevo pedido _WJO-001,pdf.exe
Size

742KB
MD5

75f7dc6f6b46ef8f379000e8b6905529
SHA1

f3a9abcfa08f16d34f09800a5df4ba5f794fcbd9
SHA256

7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
SHA512

f16351d869746401c419885e0a63193e90e89b62f855738df8ffb0c28a4a93c42df575ccb4734965d879c40ac59a167fbbc32086f76c29b5656e917c50ceb46d

Score

10^/10

remcos aa persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

AA

C2

typejimbo.ddns.net:2444

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-1VJ0ZY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Nuevo pedido _WJO-001,pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ubrgopj = "C:\\Users\\Public\\Libraries\\jpogrbU.url"	Nuevo pedido _WJO-001,pdf.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2360 reg.exe
2372 reg.exe
2460 reg.exe

pid	process
2360	reg.exe
2372	reg.exe
2460	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Nuevo pedido _WJO-001,pdf.exe

description	pid	process	target process
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe
PID 1620 wrote to memory of 1504	1620	Nuevo pedido _WJO-001,pdf.exe	Nuevo pedido _WJO-001,pdf.exe

C:\Users\Admin\AppData\Local\Temp\Nuevo pedido _WJO-001,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo pedido _WJO-001,pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\Nuevo pedido _WJO-001,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo pedido _WJO-001,pdf.exe"
2⤵
- Adds Run key to start application
PID:1504

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
3⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Trast.bat" "
3⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
4⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
5⤵
- Modifies registry key
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
5⤵
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
5⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\nest.bat" "
3⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
4⤵
- Modifies registry key
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Trast.bat
MD5
4068c9f69fcd8a171c67f81d4a952a54

SHA1
4d2536a8c28cdcc17465e20d6693fb9e8e713b36

SHA256
24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

SHA512
a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

Download Submit
C:\Users\Public\UKO.bat
MD5
eaf8d967454c3bbddbf2e05a421411f8

SHA1
6170880409b24de75c2dc3d56a506fbff7f6622c

SHA256
f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

SHA512
fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

Download Submit
C:\Users\Public\nest.bat
MD5
8ada51400b7915de2124baaf75e3414c

SHA1
1a7b9db12184ab7fd7fce1c383f9670a00adb081

SHA256
45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

SHA512
9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

Download Submit
memory/1504-69-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-63-0x0000000000000000-mapping.dmp

Download
memory/1504-68-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1620-60-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1620-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1620-65-0x0000000010410000-0x000000001042B000-memory.dmp

Filesize
108KB

Download
memory/2256-81-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2256-80-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2256-79-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2256-82-0x0000000010590000-0x000000001060C000-memory.dmp

Filesize
496KB

Download
memory/2256-83-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2256-70-0x0000000000000000-mapping.dmp

Download
memory/2288-72-0x0000000000000000-mapping.dmp

Download
memory/2328-74-0x0000000000000000-mapping.dmp

Download
memory/2360-76-0x0000000000000000-mapping.dmp

Download
memory/2372-77-0x0000000000000000-mapping.dmp

Download
memory/2384-78-0x0000000000000000-mapping.dmp

Download
memory/2428-84-0x0000000000000000-mapping.dmp

Download
memory/2460-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing