remcos | b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e

General

Target

BETT AWB8876E73_SEPT1721,pdf.exe
Size

1.4MB
MD5

2177743409ec5fd02a58e371ad413429
SHA1

b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
SHA256

b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
SHA512

f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5

Score

10^/10

remcos celebration agilenet persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

CELEBRATION

C2

ongod4ever.ddns.net:3030

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-FCUJUB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

ewtewbhdds.exemscorsvw.exe

pid process

4072 ewtewbhdds.exe
740 mscorsvw.exe

pid	process
4072	ewtewbhdds.exe
740	mscorsvw.exe

Drops startup file 2 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe	BETT AWB8876E73_SEPT1721,pdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe	BETT AWB8876E73_SEPT1721,pdf.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3716-120-0x0000000005D20000-0x0000000005D41000-memory.dmp	agile_net
behavioral2/memory/3716-125-0x0000000004FB0000-0x000000000504C000-memory.dmp	agile_net
behavioral2/memory/4072-137-0x0000000004EA0000-0x0000000004F3C000-memory.dmp	agile_net
behavioral2/memory/4072-138-0x0000000004EA0000-0x0000000004F3C000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wetewudjhdfdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ewtewbhdds.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ewtewbhdds.exe

description pid process target process

PID 4072 set thread context of 740 4072 ewtewbhdds.exe mscorsvw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3888 740 WerFault.exe mscorsvw.exe

description	pid	process	target process
PID 4072 set thread context of 740	4072	ewtewbhdds.exe	mscorsvw.exe

pid	pid_target	process	target process
3888	740	WerFault.exe	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exeWerFault.exe

pid	process
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
3716	BETT AWB8876E73_SEPT1721,pdf.exe
4072	ewtewbhdds.exe
4072	ewtewbhdds.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3716	BETT AWB8876E73_SEPT1721,pdf.exe
Token: SeDebugPrivilege	4072	ewtewbhdds.exe
Token: SeRestorePrivilege	3888	WerFault.exe
Token: SeBackupPrivilege	3888	WerFault.exe
Token: SeDebugPrivilege	3888	WerFault.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

BETT AWB8876E73_SEPT1721,pdf.execmd.exeewtewbhdds.exe

description	pid	process	target process
PID 3716 wrote to memory of 2980	3716	BETT AWB8876E73_SEPT1721,pdf.exe	cmd.exe
PID 3716 wrote to memory of 2980	3716	BETT AWB8876E73_SEPT1721,pdf.exe	cmd.exe
PID 3716 wrote to memory of 2980	3716	BETT AWB8876E73_SEPT1721,pdf.exe	cmd.exe
PID 2980 wrote to memory of 764	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 764	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 764	2980	cmd.exe	reg.exe
PID 3716 wrote to memory of 4072	3716	BETT AWB8876E73_SEPT1721,pdf.exe	ewtewbhdds.exe
PID 3716 wrote to memory of 4072	3716	BETT AWB8876E73_SEPT1721,pdf.exe	ewtewbhdds.exe
PID 3716 wrote to memory of 4072	3716	BETT AWB8876E73_SEPT1721,pdf.exe	ewtewbhdds.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe
PID 4072 wrote to memory of 740	4072	ewtewbhdds.exe	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\BETT AWB8876E73_SEPT1721,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\BETT AWB8876E73_SEPT1721,pdf.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wetewudjhdfdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wetewudjhdfdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"
3⤵
- Adds Run key to start application
PID:764

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
"C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"
3⤵
- Executes dropped EXE
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 568
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
MD5
53076abbb58ebffb79177bef0db30888

SHA1
a7f51030b39b42ef54afba08124908179a6f5e85

SHA256
f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b

SHA512
19eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
MD5
53076abbb58ebffb79177bef0db30888

SHA1
a7f51030b39b42ef54afba08124908179a6f5e85

SHA256
f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b

SHA512
19eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe
MD5
2177743409ec5fd02a58e371ad413429

SHA1
b739d4ee9fe36a1ac527e588ce3f05f8fc73c322

SHA256
b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e

SHA512
f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe
MD5
2177743409ec5fd02a58e371ad413429

SHA1
b739d4ee9fe36a1ac527e588ce3f05f8fc73c322

SHA256
b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e

SHA512
f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5

Download Submit
memory/740-152-0x0000000000820000-0x0000000000899000-memory.dmp

Filesize
484KB

Download
memory/740-144-0x0000000000820000-0x0000000000899000-memory.dmp

Filesize
484KB

Download
memory/740-142-0x000000000042F71D-mapping.dmp

Download
memory/764-124-0x0000000000000000-mapping.dmp

Download
memory/2980-123-0x0000000000000000-mapping.dmp

Download
memory/3716-125-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/3716-119-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3716-122-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/3716-116-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3716-121-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/3716-117-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/3716-118-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/3716-114-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3716-120-0x0000000005D20000-0x0000000005D41000-memory.dmp

Filesize
132KB

Download
memory/4072-140-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/4072-139-0x0000000007060000-0x000000000706B000-memory.dmp

Filesize
44KB

Download
memory/4072-138-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/4072-137-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/4072-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads