remcos | 103976b6450174aa02b8cbe58309c741303ffd29a0611008e4f72f9023ca228a

Analysis

max time kernel
149s
max time network
149s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IKEA VN - 1028-02-4003 + XE614 - 01.exe
Size

1.6MB
MD5

4f5872d9eed281bf8cc831ef9a64471a
SHA1

80923623eff6042cac91775a72bf9409039e0cbd
SHA256

103976b6450174aa02b8cbe58309c741303ffd29a0611008e4f72f9023ca228a
SHA512

a7f0853e4eeae9234ae09deac9b740920a7edaee0efd39256e7cf2e83f8dab27afa876eb0abc2e13c030f23e070a90b0aa90435fdc8ca3d42a9b2583dcf8d966

Score

10^/10

remcos reed agilenet persistence rat suricata

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

Reed

ezfax2021.home-webserver.de:24133

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
iuis.exe
copy_folder
oiujhy
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
uhyg.dat
keylog_flag
false
keylog_folder
juhg
keylog_path
%AppData%
mouse_option
false
mutex
iuyhg-XOY14N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
oiu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\MAINPROCC.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
suricata
Executes dropped EXE 4 IoCs

Processes:

MAINPROCC.exeAddInProcess32.exeSASS.exeSASS.exe

pid process

1952 MAINPROCC.exe
944 AddInProcess32.exe
912 SASS.exe
1148 SASS.exe
Loads dropped DLL 4 IoCs

Processes:

IKEA VN - 1028-02-4003 + XE614 - 01.exeMAINPROCC.exeSASS.exe

pid process

1540 IKEA VN - 1028-02-4003 + XE614 - 01.exe
1952 MAINPROCC.exe
1952 MAINPROCC.exe
912 SASS.exe

pid	process
1952	MAINPROCC.exe
944	AddInProcess32.exe
912	SASS.exe
1148	SASS.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1540-58-0x0000000000A50000-0x0000000000A71000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

MAINPROCC.exe

description pid process target process

PID 1952 set thread context of 944 1952 MAINPROCC.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1952 set thread context of 944	1952	MAINPROCC.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

IKEA VN - 1028-02-4003 + XE614 - 01.exeMAINPROCC.exeSASS.exeSASS.exe

pid	process
1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe
1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe
1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe
1952	MAINPROCC.exe
1952	MAINPROCC.exe
1952	MAINPROCC.exe
912	SASS.exe
1148	SASS.exe
1148	SASS.exe
1148	SASS.exe
1952	MAINPROCC.exe
1952	MAINPROCC.exe
1952	MAINPROCC.exe
1952	MAINPROCC.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

IKEA VN - 1028-02-4003 + XE614 - 01.exeMAINPROCC.exeSASS.exeSASS.exe

description	pid	process
Token: SeDebugPrivilege	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe
Token: SeDebugPrivilege	1952	MAINPROCC.exe
Token: SeDebugPrivilege	912	SASS.exe
Token: SeDebugPrivilege	1148	SASS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

944 AddInProcess32.exe

pid	process
944	AddInProcess32.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

IKEA VN - 1028-02-4003 + XE614 - 01.execmd.exeMAINPROCC.exeSASS.exe

description	pid	process	target process
PID 1540 wrote to memory of 968	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe	cmd.exe
PID 1540 wrote to memory of 968	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe	cmd.exe
PID 1540 wrote to memory of 968	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe	cmd.exe
PID 1540 wrote to memory of 968	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe	cmd.exe
PID 968 wrote to memory of 1820	968	cmd.exe	reg.exe
PID 968 wrote to memory of 1820	968	cmd.exe	reg.exe
PID 968 wrote to memory of 1820	968	cmd.exe	reg.exe
PID 968 wrote to memory of 1820	968	cmd.exe	reg.exe
PID 1540 wrote to memory of 1952	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe	MAINPROCC.exe
PID 1540 wrote to memory of 1952	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe	MAINPROCC.exe
PID 1540 wrote to memory of 1952	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe	MAINPROCC.exe
PID 1540 wrote to memory of 1952	1540	IKEA VN - 1028-02-4003 + XE614 - 01.exe	MAINPROCC.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 944	1952	MAINPROCC.exe	AddInProcess32.exe
PID 1952 wrote to memory of 912	1952	MAINPROCC.exe	SASS.exe
PID 1952 wrote to memory of 912	1952	MAINPROCC.exe	SASS.exe
PID 1952 wrote to memory of 912	1952	MAINPROCC.exe	SASS.exe
PID 1952 wrote to memory of 912	1952	MAINPROCC.exe	SASS.exe
PID 912 wrote to memory of 1148	912	SASS.exe	SASS.exe
PID 912 wrote to memory of 1148	912	SASS.exe	SASS.exe
PID 912 wrote to memory of 1148	912	SASS.exe	SASS.exe
PID 912 wrote to memory of 1148	912	SASS.exe	SASS.exe

C:\Users\Admin\AppData\Local\Temp\IKEA VN - 1028-02-4003 + XE614 - 01.exe
"C:\Users\Admin\AppData\Local\Temp\IKEA VN - 1028-02-4003 + XE614 - 01.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROCC.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROCC.exe,"
3⤵
- Modifies WinLogon for persistence
PID:1820

C:\Users\Admin\AppData\Roaming\MAINPROCC.exe
"C:\Users\Admin\AppData\Roaming\MAINPROCC.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:944

C:\Users\Admin\AppData\Local\Temp\SASS.exe
"C:\Users\Admin\AppData\Local\Temp\SASS.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\SASS.exe
"C:\Users\Admin\AppData\Local\Temp\SASS.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\SASS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SASS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SASS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SASS.txt
MD5
a7bb5f3d5bc2fe3528e4fab30d75cf75

SHA1
a60bc2c2953cd71008e3b5bc36a347af942462bc

SHA256
8e7f49122abe542cd09ee72aaefd5a3b8aa9bc4bb910111723e1e147af38ba36

SHA512
cf8722a866434d1db21069750004f7eae0d3928a6078a002e13bad7261be1ba6ecad5660546e2e839011593eef574f49e974e1f4f7be9d93e609afdc0fd10fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SASS.txt
MD5
e527d62b56e27403621c4e6a95c78258

SHA1
bf5e9631e0a13cc2e57f5f372351a26939f10282

SHA256
d5e9bca9d567c963d61c8c0f5b6d9fc217f156002a48dcd3d80443b60e438ae5

SHA512
6ddb2de39c18644f807719ad0c9731d9ff95518cdd2f7a4254a04cd558020565fdeed7955ec9ab4d7fc29407d1e5458af824a9ac5608d3870c7578776c8b152b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SASS.txt
MD5
de677d85bd8cb634b2d32cdec27b08f5

SHA1
741f14e168a8d3b7e568b47ff3ea8024901d1ad1

SHA256
a2e36e8d39d3f1ac791c09a9f00fe628e0fe92d2dd653910adf51e499f3d9788

SHA512
5e17720eb0975738096d24f2ebe7a5f59a876d4d6ce9f6e1acdc5391d7bf5b83b4393e1557c7b5ca4f3b643ec12769898758ca3226f6780a0c817dc580699ba4

Download Submit
C:\Users\Admin\AppData\Roaming\MAINPROCC.exe
MD5
4f5872d9eed281bf8cc831ef9a64471a

SHA1
80923623eff6042cac91775a72bf9409039e0cbd

SHA256
103976b6450174aa02b8cbe58309c741303ffd29a0611008e4f72f9023ca228a

SHA512
a7f0853e4eeae9234ae09deac9b740920a7edaee0efd39256e7cf2e83f8dab27afa876eb0abc2e13c030f23e070a90b0aa90435fdc8ca3d42a9b2583dcf8d966

Download Submit
C:\Users\Admin\AppData\Roaming\MAINPROCC.exe
MD5
4f5872d9eed281bf8cc831ef9a64471a

SHA1
80923623eff6042cac91775a72bf9409039e0cbd

SHA256
103976b6450174aa02b8cbe58309c741303ffd29a0611008e4f72f9023ca228a

SHA512
a7f0853e4eeae9234ae09deac9b740920a7edaee0efd39256e7cf2e83f8dab27afa876eb0abc2e13c030f23e070a90b0aa90435fdc8ca3d42a9b2583dcf8d966

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\SASS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\SASS.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\MAINPROCC.exe
MD5
4f5872d9eed281bf8cc831ef9a64471a

SHA1
80923623eff6042cac91775a72bf9409039e0cbd

SHA256
103976b6450174aa02b8cbe58309c741303ffd29a0611008e4f72f9023ca228a

SHA512
a7f0853e4eeae9234ae09deac9b740920a7edaee0efd39256e7cf2e83f8dab27afa876eb0abc2e13c030f23e070a90b0aa90435fdc8ca3d42a9b2583dcf8d966

Download Submit
memory/912-89-0x0000000000000000-mapping.dmp

Download
memory/912-92-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/944-78-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-87-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-76-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-77-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-75-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-79-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-80-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-81-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-82-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-83-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-84-0x000000000042F76C-mapping.dmp

Download
memory/944-86-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/968-60-0x0000000000000000-mapping.dmp

Download
memory/1148-96-0x0000000000000000-mapping.dmp

Download
memory/1540-55-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1540-57-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1540-58-0x0000000000A50000-0x0000000000A71000-memory.dmp

Filesize
132KB

Download
memory/1540-59-0x00000000022D1000-0x00000000022D2000-memory.dmp

Filesize
4KB

Download
memory/1820-61-0x0000000000000000-mapping.dmp

Download
memory/1952-70-0x0000000004C21000-0x0000000004C22000-memory.dmp

Filesize
4KB

Download
memory/1952-63-0x0000000000000000-mapping.dmp

Download
memory/1952-66-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1952-68-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1952-72-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/1952-71-0x0000000002120000-0x000000000212B000-memory.dmp

Filesize
44KB

Download