remcos | d38185c3dd6800479186992141c2b6c804e06efe4fdc16b35b804cc987a5ba45

General

Target

POEA LIST OF DELISTED AGENCIES.PDF.exe
Size

985KB
MD5

42f2b26bcd9ad840f1445785726449f1
SHA1

d5861e7a6217dc6f1f5c2309bd617b5f0ca371dc
SHA256

10bd3e2c0e8caf01756c71de42d8656875a64daae61ec1b8175a84fb064c94e4
SHA512

b57e1cd214c91159449aac8304033aa104001fd4c53e0dae659e883cd9aa1709cf6a42b0cd175ccc1e4f432b131eeea4fe4b46ea14a73c40ad2de15c0116edb7

Score

10^/10

remcos july-logs persistence rat suricata

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

JULY-LOGS

C2

alhabib4rec.freeddns.org:2404

alhabib4rec.ddns.net:2404

alhabib4rec.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5YOI67
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
suricata
Executes dropped EXE 2 IoCs

Processes:

tlpmgdweq.pifRegSvcs.exe

pid process

2224 tlpmgdweq.pif
5088 RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POEA LIST OF DELISTED AGENCIES.PDF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	POEA LIST OF DELISTED AGENCIES.PDF.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tlpmgdweq.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	tlpmgdweq.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\59909268\\TLPMGD~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\59909268\\nlncgw.ath"	tlpmgdweq.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

tlpmgdweq.pif

description pid process target process

PID 2224 set thread context of 5088 2224 tlpmgdweq.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2224 set thread context of 5088	2224	tlpmgdweq.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tlpmgdweq.pif

pid	process
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif
2224	tlpmgdweq.pif

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

5088 RegSvcs.exe

pid	process
5088	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

POEA LIST OF DELISTED AGENCIES.PDF.exetlpmgdweq.pif

description	pid	process	target process
PID 2896 wrote to memory of 2224	2896	POEA LIST OF DELISTED AGENCIES.PDF.exe	tlpmgdweq.pif
PID 2896 wrote to memory of 2224	2896	POEA LIST OF DELISTED AGENCIES.PDF.exe	tlpmgdweq.pif
PID 2896 wrote to memory of 2224	2896	POEA LIST OF DELISTED AGENCIES.PDF.exe	tlpmgdweq.pif
PID 2224 wrote to memory of 5088	2224	tlpmgdweq.pif	RegSvcs.exe
PID 2224 wrote to memory of 5088	2224	tlpmgdweq.pif	RegSvcs.exe
PID 2224 wrote to memory of 5088	2224	tlpmgdweq.pif	RegSvcs.exe
PID 2224 wrote to memory of 5088	2224	tlpmgdweq.pif	RegSvcs.exe
PID 2224 wrote to memory of 5088	2224	tlpmgdweq.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\POEA LIST OF DELISTED AGENCIES.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\POEA LIST OF DELISTED AGENCIES.PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
"C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif" nlncgw.ath
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\59909268\nlncgw.ath
Filesize
185.0MB

MD5
914ef797d945f434361d12e0fe005782

SHA1
5caac973d566840580e960a64423c551b660becf

SHA256
74e401773c87cc279e1e55192408043e2d61e78e8cdbfa625f3b755f6ffa372b

SHA512
318a31cb84c3dc58193f4895aef2227410345993fe5d89424676e67d7cdbdcabd186736599ea922008c29cbd992e3c2b1486eded6481edfb80d070ff96022ee1

Download Submit
C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
Filesize
647KB

MD5
9fc46b6036032a8d8a89e3567a3dcec3

SHA1
42dcd68b4a35686b000a18efb4c2b2ae07d5cc94

SHA256
0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534

SHA512
45c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d

Download Submit
C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif
Filesize
647KB

MD5
9fc46b6036032a8d8a89e3567a3dcec3

SHA1
42dcd68b4a35686b000a18efb4c2b2ae07d5cc94

SHA256
0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534

SHA512
45c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d

Download Submit
C:\Users\Admin\AppData\Roaming\59909268\tnblkocel.bin
Filesize
301KB

MD5
1db5057da63cb0c1e451f2afec2993df

SHA1
104400efd20a63fd4f19816c7de44b13e8dcea64

SHA256
b8f7e2ab29a5037ea36d11387cf6260d71a23721f03275ccb863e8ca2bee9d6a

SHA512
b44d6ffdeb0063d2016840f9538d5b818cacc167cf22cffc0878ff857d251096a31155bf53c00637f3f34ab627cab54f27b23858d3ed10503df935b8e169c1dd

Download Submit
memory/2224-130-0x0000000000000000-mapping.dmp

Download
memory/5088-136-0x0000000000713B74-mapping.dmp

Download
memory/5088-135-0x0000000000700000-0x0000000000CD4000-memory.dmp

Filesize
5.8MB

Download
memory/5088-139-0x0000000000700000-0x0000000000CD4000-memory.dmp

Filesize
5.8MB

Download
memory/5088-140-0x0000000000700000-0x0000000000CD4000-memory.dmp

Filesize
5.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads