remcos | d38185c3dd6800479186992141c2b6c804e06efe4fdc16b35b804cc987a5ba45

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

POEA LIST OF DELISTED AGENCIES.PDF.exe
Size

985KB
MD5

42f2b26bcd9ad840f1445785726449f1
SHA1

d5861e7a6217dc6f1f5c2309bd617b5f0ca371dc
SHA256

10bd3e2c0e8caf01756c71de42d8656875a64daae61ec1b8175a84fb064c94e4
SHA512

b57e1cd214c91159449aac8304033aa104001fd4c53e0dae659e883cd9aa1709cf6a42b0cd175ccc1e4f432b131eeea4fe4b46ea14a73c40ad2de15c0116edb7

Score

10^/10

remcos july-logs persistence rat suricata

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

JULY-LOGS

alhabib4rec.freeddns.org:2404

alhabib4rec.ddns.net:2404

alhabib4rec.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5YOI67
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
suricata
Executes dropped EXE 2 IoCs

Processes:

tlpmgdweq.pifRegSvcs.exe

pid process

1168 tlpmgdweq.pif
1844 RegSvcs.exe

Loads dropped DLL 5 IoCs

Processes:

POEA LIST OF DELISTED AGENCIES.PDF.exetlpmgdweq.pif

pid	process
1324	POEA LIST OF DELISTED AGENCIES.PDF.exe
1324	POEA LIST OF DELISTED AGENCIES.PDF.exe
1324	POEA LIST OF DELISTED AGENCIES.PDF.exe
1324	POEA LIST OF DELISTED AGENCIES.PDF.exe
1168	tlpmgdweq.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tlpmgdweq.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	tlpmgdweq.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\59909268\\TLPMGD~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\59909268\\nlncgw.ath"	tlpmgdweq.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

tlpmgdweq.pif

description pid process target process

PID 1168 set thread context of 1844 1168 tlpmgdweq.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1168 set thread context of 1844	1168	tlpmgdweq.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tlpmgdweq.pif

pid	process
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif
1168	tlpmgdweq.pif

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1844 RegSvcs.exe

pid	process
1844	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

POEA LIST OF DELISTED AGENCIES.PDF.exetlpmgdweq.pif

description	pid	process	target process
PID 1324 wrote to memory of 1168	1324	POEA LIST OF DELISTED AGENCIES.PDF.exe	tlpmgdweq.pif
PID 1324 wrote to memory of 1168	1324	POEA LIST OF DELISTED AGENCIES.PDF.exe	tlpmgdweq.pif
PID 1324 wrote to memory of 1168	1324	POEA LIST OF DELISTED AGENCIES.PDF.exe	tlpmgdweq.pif
PID 1324 wrote to memory of 1168	1324	POEA LIST OF DELISTED AGENCIES.PDF.exe	tlpmgdweq.pif
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe
PID 1168 wrote to memory of 1844	1168	tlpmgdweq.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\POEA LIST OF DELISTED AGENCIES.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\POEA LIST OF DELISTED AGENCIES.PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
"C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif" nlncgw.ath
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Roaming\59909268\nlncgw.ath
Filesize
185.0MB

MD5
914ef797d945f434361d12e0fe005782

SHA1
5caac973d566840580e960a64423c551b660becf

SHA256
74e401773c87cc279e1e55192408043e2d61e78e8cdbfa625f3b755f6ffa372b

SHA512
318a31cb84c3dc58193f4895aef2227410345993fe5d89424676e67d7cdbdcabd186736599ea922008c29cbd992e3c2b1486eded6481edfb80d070ff96022ee1

Download Submit
C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
Filesize
647KB

MD5
9fc46b6036032a8d8a89e3567a3dcec3

SHA1
42dcd68b4a35686b000a18efb4c2b2ae07d5cc94

SHA256
0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534

SHA512
45c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d

Download Submit
C:\Users\Admin\AppData\Roaming\59909268\tnblkocel.bin
Filesize
301KB

MD5
1db5057da63cb0c1e451f2afec2993df

SHA1
104400efd20a63fd4f19816c7de44b13e8dcea64

SHA256
b8f7e2ab29a5037ea36d11387cf6260d71a23721f03275ccb863e8ca2bee9d6a

SHA512
b44d6ffdeb0063d2016840f9538d5b818cacc167cf22cffc0878ff857d251096a31155bf53c00637f3f34ab627cab54f27b23858d3ed10503df935b8e169c1dd

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
Filesize
647KB

MD5
9fc46b6036032a8d8a89e3567a3dcec3

SHA1
42dcd68b4a35686b000a18efb4c2b2ae07d5cc94

SHA256
0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534

SHA512
45c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d

Download Submit
\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
Filesize
647KB

MD5
9fc46b6036032a8d8a89e3567a3dcec3

SHA1
42dcd68b4a35686b000a18efb4c2b2ae07d5cc94

SHA256
0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534

SHA512
45c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d

Download Submit
\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
Filesize
647KB

MD5
9fc46b6036032a8d8a89e3567a3dcec3

SHA1
42dcd68b4a35686b000a18efb4c2b2ae07d5cc94

SHA256
0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534

SHA512
45c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d

Download Submit
\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
Filesize
647KB

MD5
9fc46b6036032a8d8a89e3567a3dcec3

SHA1
42dcd68b4a35686b000a18efb4c2b2ae07d5cc94

SHA256
0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534

SHA512
45c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d

Download Submit
memory/1168-59-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1844-65-0x0000000000430000-0x00000000008EA000-memory.dmp

Filesize
4.7MB

Download
memory/1844-67-0x0000000000430000-0x00000000008EA000-memory.dmp

Filesize
4.7MB

Download
memory/1844-68-0x0000000000443B74-mapping.dmp

Download
memory/1844-72-0x0000000000430000-0x00000000008EA000-memory.dmp

Filesize
4.7MB

Download
memory/1844-73-0x0000000000430000-0x00000000008EA000-memory.dmp

Filesize
4.7MB

Download