remcos | b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876

General

Target

MBL+BL INVOICE SHIPPING DOCS2.exe
Size

759KB
MD5

f9f7b73497e53dab0f0da51e6ea7ad47
SHA1

35f739ad7246794d85487c425a299a765b18bff6
SHA256

b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876
SHA512

498f223f50df39cce36be964656980a2c03c88b67e94bddf19ed0ba29b652eb7126f223c56204d9857a0f51252832b5242c291d5322783281f6bfd5d7069088c

Score

10^/10

remcos remotehost evasion rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

C2

172.94.88.26:3033

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-LNYWHZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBL+BL INVOICE SHIPPING DOCS2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBL+BL INVOICE SHIPPING DOCS2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MBL+BL INVOICE SHIPPING DOCS2.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MBL+BL INVOICE SHIPPING DOCS2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MBL+BL INVOICE SHIPPING DOCS2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	MBL+BL INVOICE SHIPPING DOCS2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MBL+BL INVOICE SHIPPING DOCS2.exe

description pid process target process

PID 1828 set thread context of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3076 powershell.exe
3076 powershell.exe
3076 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3076 powershell.exe

description	pid	process	target process
PID 1828 set thread context of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe

pid	process
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3076	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

MBL+BL INVOICE SHIPPING DOCS2.exe

C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe
"C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe
"C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"
2⤵
PID:360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-130-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/360-136-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/360-131-0x000000000042FC39-mapping.dmp

Download
memory/1828-117-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/1828-118-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/1828-119-0x0000000007680000-0x0000000007B7E000-memory.dmp

Filesize
5.0MB

Download
memory/1828-120-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/1828-121-0x000000000AE60000-0x000000000AE68000-memory.dmp

Filesize
32KB

Download
memory/1828-122-0x000000000B090000-0x000000000B091000-memory.dmp

Filesize
4KB

Download
memory/1828-123-0x000000000B1D0000-0x000000000B265000-memory.dmp

Filesize
596KB

Download
memory/1828-125-0x000000000B400000-0x000000000B401000-memory.dmp

Filesize
4KB

Download
memory/1828-115-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3076-132-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/3076-138-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/3076-128-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/3076-127-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3076-126-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3076-133-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/3076-135-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3076-134-0x00000000041D2000-0x00000000041D3000-memory.dmp

Filesize
4KB

Download
memory/3076-124-0x0000000000000000-mapping.dmp

Download
memory/3076-129-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/3076-139-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/3076-140-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/3076-141-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/3076-142-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3076-149-0x00000000089F0000-0x0000000008A23000-memory.dmp

Filesize
204KB

Download
memory/3076-156-0x00000000089D0000-0x00000000089D1000-memory.dmp

Filesize
4KB

Download
memory/3076-161-0x0000000008D50000-0x0000000008D51000-memory.dmp

Filesize
4KB

Download
memory/3076-162-0x000000007EB00000-0x000000007EB01000-memory.dmp

Filesize
4KB

Download
memory/3076-163-0x0000000008F60000-0x0000000008F61000-memory.dmp

Filesize
4KB

Download
memory/3076-232-0x00000000041D3000-0x00000000041D4000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1828 wrote to memory of 3076	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	powershell.exe
PID 1828 wrote to memory of 3076	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	powershell.exe
PID 1828 wrote to memory of 3076	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	powershell.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe
PID 1828 wrote to memory of 360	1828	MBL+BL INVOICE SHIPPING DOCS2.exe	MBL+BL INVOICE SHIPPING DOCS2.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads