remcos | b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876

General

Target

MBL+BL INVOICE SHIPPING DOCS2.exe
Size

759KB
MD5

f9f7b73497e53dab0f0da51e6ea7ad47
SHA1

35f739ad7246794d85487c425a299a765b18bff6
SHA256

b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876
SHA512

498f223f50df39cce36be964656980a2c03c88b67e94bddf19ed0ba29b652eb7126f223c56204d9857a0f51252832b5242c291d5322783281f6bfd5d7069088c

Score

10^/10

remcos remotehost evasion rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

C2

172.94.88.26:3033

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-LNYWHZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBL+BL INVOICE SHIPPING DOCS2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBL+BL INVOICE SHIPPING DOCS2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MBL+BL INVOICE SHIPPING DOCS2.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MBL+BL INVOICE SHIPPING DOCS2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MBL+BL INVOICE SHIPPING DOCS2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MBL+BL INVOICE SHIPPING DOCS2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MBL+BL INVOICE SHIPPING DOCS2.exe

description pid process target process

PID 2020 set thread context of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1972 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1972 powershell.exe

description	pid	process	target process
PID 2020 set thread context of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe

pid	process
1972	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

MBL+BL INVOICE SHIPPING DOCS2.exe

C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe
"C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe
"C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"
2⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1552-62-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-67-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-66-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-65-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-64-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-71-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-60-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-61-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-69-0x000000000042FC39-mapping.dmp

Download
memory/1552-68-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1972-59-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1972-72-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1972-58-0x0000000000000000-mapping.dmp

Download
memory/2020-53-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2020-57-0x0000000007710000-0x00000000077A5000-memory.dmp

Filesize
596KB

Download
memory/2020-56-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/2020-55-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 2020 wrote to memory of 1972	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	powershell.exe
PID 2020 wrote to memory of 1972	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	powershell.exe
PID 2020 wrote to memory of 1972	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	powershell.exe
PID 2020 wrote to memory of 1972	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	powershell.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 2020 wrote to memory of 1552	2020	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads