remcos | b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e

General

Target

BETT AWB8876E73_SEPT1721,pdf.exe
Size

1.4MB
MD5

2177743409ec5fd02a58e371ad413429
SHA1

b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
SHA256

b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
SHA512

f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5

Score

10^/10

remcos celebration agilenet persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

CELEBRATION

C2

ongod4ever.ddns.net:3030

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-FCUJUB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

ewtewbhdds.exemscorsvw.exe

pid process

528 ewtewbhdds.exe
1572 mscorsvw.exe

pid	process
528	ewtewbhdds.exe
1572	mscorsvw.exe

Drops startup file 2 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe	BETT AWB8876E73_SEPT1721,pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe	BETT AWB8876E73_SEPT1721,pdf.exe

Loads dropped DLL 2 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exe

pid process

1336 BETT AWB8876E73_SEPT1721,pdf.exe
528 ewtewbhdds.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1336-56-0x0000000000540000-0x0000000000561000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\wetewudjhdfdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ewtewbhdds.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ewtewbhdds.exe

description pid process target process

PID 528 set thread context of 1572 528 ewtewbhdds.exe mscorsvw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 528 set thread context of 1572	528	ewtewbhdds.exe	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exe

pid	process
1336	BETT AWB8876E73_SEPT1721,pdf.exe
1336	BETT AWB8876E73_SEPT1721,pdf.exe
1336	BETT AWB8876E73_SEPT1721,pdf.exe
1336	BETT AWB8876E73_SEPT1721,pdf.exe
528	ewtewbhdds.exe
528	ewtewbhdds.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exe

description pid process

Token: SeDebugPrivilege 1336 BETT AWB8876E73_SEPT1721,pdf.exe
Token: SeDebugPrivilege 528 ewtewbhdds.exe

description	pid	process
Token: SeDebugPrivilege	1336	BETT AWB8876E73_SEPT1721,pdf.exe
Token: SeDebugPrivilege	528	ewtewbhdds.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.execmd.exeewtewbhdds.exe

description	pid	process	target process
PID 1336 wrote to memory of 1700	1336	BETT AWB8876E73_SEPT1721,pdf.exe	cmd.exe
PID 1336 wrote to memory of 1700	1336	BETT AWB8876E73_SEPT1721,pdf.exe	cmd.exe
PID 1336 wrote to memory of 1700	1336	BETT AWB8876E73_SEPT1721,pdf.exe	cmd.exe
PID 1336 wrote to memory of 1700	1336	BETT AWB8876E73_SEPT1721,pdf.exe	cmd.exe
PID 1700 wrote to memory of 1356	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 1356	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 1356	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 1356	1700	cmd.exe	reg.exe
PID 1336 wrote to memory of 528	1336	BETT AWB8876E73_SEPT1721,pdf.exe	ewtewbhdds.exe
PID 1336 wrote to memory of 528	1336	BETT AWB8876E73_SEPT1721,pdf.exe	ewtewbhdds.exe
PID 1336 wrote to memory of 528	1336	BETT AWB8876E73_SEPT1721,pdf.exe	ewtewbhdds.exe
PID 1336 wrote to memory of 528	1336	BETT AWB8876E73_SEPT1721,pdf.exe	ewtewbhdds.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe
PID 528 wrote to memory of 1572	528	ewtewbhdds.exe	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\BETT AWB8876E73_SEPT1721,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\BETT AWB8876E73_SEPT1721,pdf.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wetewudjhdfdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wetewudjhdfdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"
3⤵
- Adds Run key to start application
PID:1356

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
"C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"
3⤵
- Executes dropped EXE
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
MD5
53076abbb58ebffb79177bef0db30888

SHA1
a7f51030b39b42ef54afba08124908179a6f5e85

SHA256
f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b

SHA512
19eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
MD5
53076abbb58ebffb79177bef0db30888

SHA1
a7f51030b39b42ef54afba08124908179a6f5e85

SHA256
f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b

SHA512
19eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe
MD5
2177743409ec5fd02a58e371ad413429

SHA1
b739d4ee9fe36a1ac527e588ce3f05f8fc73c322

SHA256
b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e

SHA512
f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe
MD5
2177743409ec5fd02a58e371ad413429

SHA1
b739d4ee9fe36a1ac527e588ce3f05f8fc73c322

SHA256
b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e

SHA512
f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5

Download Submit
\Users\Admin\AppData\Local\Temp\mscorsvw.exe
MD5
53076abbb58ebffb79177bef0db30888

SHA1
a7f51030b39b42ef54afba08124908179a6f5e85

SHA256
f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b

SHA512
19eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe
MD5
2177743409ec5fd02a58e371ad413429

SHA1
b739d4ee9fe36a1ac527e588ce3f05f8fc73c322

SHA256
b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e

SHA512
f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5

Download Submit
memory/528-64-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/528-68-0x0000000004C11000-0x0000000004C12000-memory.dmp

Filesize
4KB

Download
memory/528-70-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/528-69-0x00000000005F0000-0x00000000005FB000-memory.dmp

Filesize
44KB

Download
memory/528-61-0x0000000000000000-mapping.dmp

Download
memory/528-66-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1336-53-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1336-59-0x0000000004CF1000-0x0000000004CF2000-memory.dmp

Filesize
4KB

Download
memory/1336-56-0x0000000000540000-0x0000000000561000-memory.dmp

Filesize
132KB

Download
memory/1336-55-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1356-58-0x0000000000000000-mapping.dmp

Download
memory/1572-73-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1572-74-0x000000000042F71D-mapping.dmp

Download
memory/1572-76-0x0000000074C71000-0x0000000074C73000-memory.dmp

Filesize
8KB

Download
memory/1572-77-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1700-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads