remcos | b70ee93e9f63d90785264d45dae48012a1d00b92f63c21ccae0f5d2003c00554

General

Target

3.exe
Size

774KB
MD5

68038cd6686e726c8d5fcfdf5b62d37a
SHA1

3540f781ed5720b4d3a71f964e6e5142748fb182
SHA256

b70ee93e9f63d90785264d45dae48012a1d00b92f63c21ccae0f5d2003c00554
SHA512

58af96f1b666552f6bea4fac6bbb94215da373090ff6f027ddaa214f4625aa720d76f2455d3cb30c7ee585e6f6b695ebaf52f1e556dc4bcf2413043412609351

Score

10^/10

remcos septttt persistence rat

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

septttt

C2

204.44.86.179:49151

123qwegus.duckdns.org:49151

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-ZXIQGD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gfheqsv = "C:\\Users\\Public\\Libraries\\vsqehfG.url"	3.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

3.exe

description	pid	process	target process
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe
PID 1928 wrote to memory of 1432	1928	3.exe	DpiScaling.exe

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-58-0x0000000000000000-mapping.dmp

Download
memory/1432-61-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1432-60-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1432-63-0x0000000000330000-0x00000000003A9000-memory.dmp

Filesize
484KB

Download
memory/1432-62-0x0000000010590000-0x000000001060C000-memory.dmp

Filesize
496KB

Download
memory/1432-64-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1928-53-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1928-57-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing