remcos | 3536f79b815a6d77e371df48abaec315c92ccec6e197e547440fa66629edd640

General

Target

BANKSLIP.exe
Size

726KB
MD5

fdd9b67bd04d1768858f095d90d5dc88
SHA1

07c81bd427eecbd130e52351d99432b16bdc8d2e
SHA256

3536f79b815a6d77e371df48abaec315c92ccec6e197e547440fa66629edd640
SHA512

4356e6c1ad77ecb750ce4d720521da2113f69f6dfed113c306a0ef6681512cb356c39ecd1d0917d55990efbb7e8abfb796d48c0a77bb0742c75c480777a2b491

Score

10^/10

remcos remotehost evasion rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

C2

172.94.88.26:3033

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-FFP6U6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BANKSLIP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BANKSLIP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BANKSLIP.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

BANKSLIP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	BANKSLIP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	BANKSLIP.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BANKSLIP.exe

description pid process target process

PID 692 set thread context of 1588 692 BANKSLIP.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1944 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1944 powershell.exe

description	pid	process	target process
PID 692 set thread context of 1588	692	BANKSLIP.exe	RegSvcs.exe

pid	process
1944	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1944	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

BANKSLIP.exe

description	pid	process	target process
PID 692 wrote to memory of 1944	692	BANKSLIP.exe	powershell.exe
PID 692 wrote to memory of 1944	692	BANKSLIP.exe	powershell.exe
PID 692 wrote to memory of 1944	692	BANKSLIP.exe	powershell.exe
PID 692 wrote to memory of 1944	692	BANKSLIP.exe	powershell.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe
PID 692 wrote to memory of 1588	692	BANKSLIP.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\BANKSLIP.exe
"C:\Users\Admin\AppData\Local\Temp\BANKSLIP.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BANKSLIP.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-54-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/692-56-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/692-57-0x00000000002F0000-0x00000000002F7000-memory.dmp

Filesize
28KB

Download
memory/692-58-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/692-59-0x00000000052F0000-0x0000000005385000-memory.dmp

Filesize
596KB

Download
memory/1588-71-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-72-0x000000000042FC39-mapping.dmp

Download
memory/1588-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-64-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-68-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-69-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-70-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-62-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-65-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-66-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1588-75-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1944-67-0x00000000025E0000-0x000000000322A000-memory.dmp

Filesize
12.3MB

Download
memory/1944-74-0x00000000025E0000-0x000000000322A000-memory.dmp

Filesize
12.3MB

Download
memory/1944-60-0x0000000000000000-mapping.dmp

Download
memory/1944-76-0x00000000025E0000-0x000000000322A000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads