remcos | e3c4caeafd8e19662239571bd3eee795d2ffb003953ce5eb06026a1be72b32e0

General

Target

Request for quotation,pdf.exe
Size

607KB
MD5

0d8326f60911be3f5c0662eb33d52f25
SHA1

d4a33d7c5998e076f5fe4b16544c87fd6f82b144
SHA256

e3c4caeafd8e19662239571bd3eee795d2ffb003953ce5eb06026a1be72b32e0
SHA512

8dfb7853f4f54940baeaf1389b393fcc5e3ed5116ce586b50827f851ac9a72fb8200ab54f0100a8e54d341e182a0a0521fd8721433deb0a9dd4ee07c2cd9cb07

Score

10^/10

remcos zubby persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

ZUBBY

C2

newlogs.ddns.net:4312

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-8UKXGF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

PasswordOnWakeSettingFlyout.exePasswordOnWakeSettingFlyout.exe

pid process

2040 PasswordOnWakeSettingFlyout.exe
1992 PasswordOnWakeSettingFlyout.exe

pid	process
2040	PasswordOnWakeSettingFlyout.exe
1992	PasswordOnWakeSettingFlyout.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Request for quotation,pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fopvpkxy = "C:\\Users\\Admin\\yxkpvpoF.url"	Request for quotation,pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2000 PING.EXE

pid	process
2000	PING.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Request for quotation,pdf.execmd.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1120	1652	Request for quotation,pdf.exe	logagent.exe
PID 1652 wrote to memory of 1756	1652	Request for quotation,pdf.exe	cmd.exe
PID 1652 wrote to memory of 1756	1652	Request for quotation,pdf.exe	cmd.exe
PID 1652 wrote to memory of 1756	1652	Request for quotation,pdf.exe	cmd.exe
PID 1652 wrote to memory of 1756	1652	Request for quotation,pdf.exe	cmd.exe
PID 1756 wrote to memory of 1028	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 1028	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 1028	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 1028	1756	cmd.exe	cmd.exe
PID 1028 wrote to memory of 2000	1028	cmd.exe	PING.EXE
PID 1028 wrote to memory of 2000	1028	cmd.exe	PING.EXE
PID 1028 wrote to memory of 2000	1028	cmd.exe	PING.EXE
PID 1028 wrote to memory of 2000	1028	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Request for quotation,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for quotation,pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
2⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\Fopvpkxyt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\FopvpkxyO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
"C:\Windows \System32\PasswordOnWakeSettingFlyout.exe"
4⤵
- Executes dropped EXE
PID:2040

C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
"C:\Windows \System32\PasswordOnWakeSettingFlyout.exe"
4⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
4⤵
- Runs ping.exe
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\FopvpkxyO.bat
MD5
9d129b87ea5d68b76a8a6f098ee239bb

SHA1
e23837a4d7cc3235b8d876c9a61ad26468a026b0

SHA256
828f0819e547b8b60afa2a6124bee209a87a18be0680006d3ac1bfeafe6c1b4f

SHA512
8fd03fbc363dfff504209ef8a547ebb021824d74bfa0a1401955f388b371f19246392db825e6ea26566195d1bb096e58490c09565d6fc6871833ab4a11e53d11

Download Submit
C:\Users\Admin\Fopvpkxyt.bat
MD5
7e5eca360524bcaec0544eb4e4c8e820

SHA1
97b74eab8c9b15b4b67754c4a4fb54c257a546ef

SHA256
5b37de69c447d8292c720c8cf645a2ef503653017f4c3c87bf119d99732e752f

SHA512
bd68beca3b2386a1ca5280cc61b0c0efd37193dc736fd9a30d9bb1b1e747d36ce682c2edc80b076f4564ad0ca77cd01e5a391557535d4b7a33df1052f9d86429

Download Submit
C:\Users\Admin\KDECO.bat
MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Admin\PasswordOnWakeSettingFlyout.exe
MD5
591a98c65f624c52882c2b238d6cd4c4

SHA1
c960d08c19d777069cf265dcc281807fbd8502d7

SHA256
5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

SHA512
1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

Download Submit
C:\Users\Admin\uxtheme.dll
MD5
64854e08792b761b973556cdf1522f26

SHA1
851cd539768c26b407e3ba8cc75d87ed1dd8423d

SHA256
c264b40c7308aad3df416c750c64a5fb80540095ac725002686dd25c4dbf2b17

SHA512
9508f59a05165068601f5961d7031b5c78257d682eb6fd7dae3dd41b6ec9f9679855260944fe38b3e05aaeef938a03a8a11a81bf97985743456c8acd5d665bb6

Download Submit
C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
MD5
591a98c65f624c52882c2b238d6cd4c4

SHA1
c960d08c19d777069cf265dcc281807fbd8502d7

SHA256
5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

SHA512
1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

Download Submit
C:\Windows \System32\PasswordOnWakeSettingFlyout.exe
MD5
591a98c65f624c52882c2b238d6cd4c4

SHA1
c960d08c19d777069cf265dcc281807fbd8502d7

SHA256
5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

SHA512
1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

Download Submit
memory/1028-85-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1028-77-0x0000000000000000-mapping.dmp

Download
memory/1120-67-0x0000000072600000-0x000000007267C000-memory.dmp

Filesize
496KB

Download
memory/1120-75-0x0000000072600000-0x000000007267C000-memory.dmp

Filesize
496KB

Download
memory/1120-74-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1120-72-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1120-73-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1120-57-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1120-58-0x0000000000000000-mapping.dmp

Download
memory/1120-87-0x0000000000470000-0x00000000004E9000-memory.dmp

Filesize
484KB

Download
memory/1652-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x00000000004F1000-0x0000000000505000-memory.dmp

Filesize
80KB

Download
memory/1652-55-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1756-70-0x0000000000000000-mapping.dmp

Download
memory/2000-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing