remcos | e1283a5b801014d33c4541d22f8069e6c7003073404cbcbde501a32cd39aac74

General

Target

POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Size

1.0MB
MD5

10bd35143e96d238c1c877dd2876da0a
SHA1

44b3c0d42a56605de95f9953432b6f6b9486300c
SHA256

b85ba05f52b6a5c66037d81e9b5bfd046202ce5de9136e4995822b2fe6405175
SHA512

2d47ee630f6f9912cd3acc455344c753248f1f0f2f62676aa94d9e4112a08f88dd6b6219260367bfdbc57724e4d3eb4a567ea5da14bfa503cdf05cb40d4826ab

Score

10^/10

remcos august-bless-me persistence rat suricata

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

AUGUST-BLESS-ME

C2

officer170.webredirect.org:2404

chidera12345.ddns.net:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-T7VXCL
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
suricata
Executes dropped EXE 2 IoCs

Processes:

asku.pifRegSvcs.exe

pid process

1292 asku.pif
1532 RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

asku.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	asku.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\99809826\\asku.pif c:\\99809826\\IDWUOP~1.EXM"	asku.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

asku.pif

description pid process target process

PID 1292 set thread context of 1532 1292 asku.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1292 set thread context of 1532	1292	asku.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

asku.pif

pid	process
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif
1292	asku.pif

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1532 RegSvcs.exe

pid	process
1532	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeasku.pif

description	pid	process	target process
PID 2388 wrote to memory of 1292	2388	POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe	asku.pif
PID 2388 wrote to memory of 1292	2388	POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe	asku.pif
PID 2388 wrote to memory of 1292	2388	POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe	asku.pif
PID 1292 wrote to memory of 1532	1292	asku.pif	RegSvcs.exe
PID 1292 wrote to memory of 1532	1292	asku.pif	RegSvcs.exe
PID 1292 wrote to memory of 1532	1292	asku.pif	RegSvcs.exe
PID 1292 wrote to memory of 1532	1292	asku.pif	RegSvcs.exe
PID 1292 wrote to memory of 1532	1292	asku.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2388

C:\99809826\asku.pif
"C:\99809826\asku.pif" idwuopbrak.exm
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\99809826\asku.pif
Filesize
712KB

MD5
43e7db53ce5c130179aef5b47dcf7608

SHA1
5398e207d9ad301860b570d87601c1664ada9c0a

SHA256
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

SHA512
a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

Download Submit
C:\99809826\asku.pif
Filesize
712KB

MD5
43e7db53ce5c130179aef5b47dcf7608

SHA1
5398e207d9ad301860b570d87601c1664ada9c0a

SHA256
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

SHA512
a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

Download Submit
C:\99809826\idwuopbrak.exm
Filesize
213.5MB

MD5
473814d436865cb8793a4203c6f2fbe1

SHA1
5c624c51bb373b84e6507ccfbe0ec9167a35b0c5

SHA256
c2e1f2c3cc59cf159240757253a48a3716c3b469e105f2ba70f7cd5fc017a81b

SHA512
db32f5b88216862902f1abd6c7f9a267ae3b19104abb38aec8d6c404f0d26cb563f4131f60c43f0db25402c50057019b694063663e0f7130bbd16f26c1449087

Download Submit
C:\99809826\itbq.dat
Filesize
303KB

MD5
d98ac636e189c4c686dd58ae8a9bac4a

SHA1
9b92bc50854c88da6131ecd12f8a8713b82e9dcc

SHA256
2fda035718648f3834a04737aafeae5a612101c13f6965dcc58b5df334401b48

SHA512
430be4fa29518324799dac332e0c0043fd95107d9c7976a6ae9cbe29703fe683c7434d92dae21272935afe6d3c06109739dfa92254689409b5372a212d2a8e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/1292-130-0x0000000000000000-mapping.dmp

Download
memory/1532-135-0x0000000000B00000-0x0000000001045000-memory.dmp

Filesize
5.3MB

Download
memory/1532-136-0x0000000000B13B74-mapping.dmp

Download
memory/1532-139-0x0000000000B00000-0x0000000001045000-memory.dmp

Filesize
5.3MB

Download
memory/1532-140-0x0000000000B00000-0x0000000001045000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads