remcos | 136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d

General

Target

136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe
Size

601KB
MD5

acae2d53ce7306de623253231a20fbfd
SHA1

56d620570ac28af58bff4ef3a84c4881af1935dc
SHA256

136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d
SHA512

ad5a451627c32c2c13960fa316916720b308689fa3f764c421481edaaa571fab6e8e338434d83909c0f889e0a2495dc87af2407f873d9fdc16ff4ee9a6a31b0d

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

chimmyxx.ipq.co:24462

chiboy22.ddns.net:24462

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
ffsgdgshdn.exe
copy_folder
Iexplorer
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_twxpgawnqoqduxy
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
1736	ffsgdgshdn.exe

Loads dropped DLL 2 IoCs

pid	Process
1060	cmd.exe
1060	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iexplorer\\ffsgdgshdn.exe\""	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 1052	1540	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
912	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1540	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe
1736	ffsgdgshdn.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1052	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1052	1540	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	27
PID 1540 wrote to memory of 1052	1540	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	27
PID 1540 wrote to memory of 1052	1540	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	27
PID 1540 wrote to memory of 1052	1540	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	27
PID 1052 wrote to memory of 1060	1052	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	28
PID 1052 wrote to memory of 1060	1052	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	28
PID 1052 wrote to memory of 1060	1052	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	28
PID 1052 wrote to memory of 1060	1052	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	28
PID 1052 wrote to memory of 1060	1052	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	28
PID 1052 wrote to memory of 1060	1052	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	28
PID 1052 wrote to memory of 1060	1052	136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe	28
PID 1060 wrote to memory of 912	1060	cmd.exe	30
PID 1060 wrote to memory of 912	1060	cmd.exe	30
PID 1060 wrote to memory of 912	1060	cmd.exe	30
PID 1060 wrote to memory of 912	1060	cmd.exe	30
PID 1060 wrote to memory of 1736	1060	cmd.exe	31
PID 1060 wrote to memory of 1736	1060	cmd.exe	31
PID 1060 wrote to memory of 1736	1060	cmd.exe	31
PID 1060 wrote to memory of 1736	1060	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe
"C:\Users\Admin\AppData\Local\Temp\136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe
  C:\Users\Admin\AppData\Local\Temp\136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:912
  - - C:\Users\Admin\AppData\Roaming\Iexplorer\ffsgdgshdn.exe
      "C:\Users\Admin\AppData\Roaming\Iexplorer\ffsgdgshdn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
106B

MD5
e879aa5b99cecd71c3f4620e159ef15d

SHA1
c8a546f333cd0737dbbf248c9510c6e6ab69c1f8

SHA256
c8d41165b86621c6b916c65540c0eff6a5360caaefa48dbe70e37952ea422ee4

SHA512
815e7e0b492fb48b9116626750781d2acfc925779e48367cb1c0f888b190d10c3e819e9e6ca8a0b3c55f4fb90da41061d040b8473c97d182c371092cd8e83aa4

Download Submit
C:\Users\Admin\AppData\Roaming\Iexplorer\ffsgdgshdn.exe

Filesize
601KB

MD5
acae2d53ce7306de623253231a20fbfd

SHA1
56d620570ac28af58bff4ef3a84c4881af1935dc

SHA256
136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d

SHA512
ad5a451627c32c2c13960fa316916720b308689fa3f764c421481edaaa571fab6e8e338434d83909c0f889e0a2495dc87af2407f873d9fdc16ff4ee9a6a31b0d

Download Submit
C:\Users\Admin\AppData\Roaming\Iexplorer\ffsgdgshdn.exe

Filesize
601KB

MD5
acae2d53ce7306de623253231a20fbfd

SHA1
56d620570ac28af58bff4ef3a84c4881af1935dc

SHA256
136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d

SHA512
ad5a451627c32c2c13960fa316916720b308689fa3f764c421481edaaa571fab6e8e338434d83909c0f889e0a2495dc87af2407f873d9fdc16ff4ee9a6a31b0d

Download Submit
\Users\Admin\AppData\Roaming\Iexplorer\ffsgdgshdn.exe

Filesize
601KB

MD5
acae2d53ce7306de623253231a20fbfd

SHA1
56d620570ac28af58bff4ef3a84c4881af1935dc

SHA256
136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d

SHA512
ad5a451627c32c2c13960fa316916720b308689fa3f764c421481edaaa571fab6e8e338434d83909c0f889e0a2495dc87af2407f873d9fdc16ff4ee9a6a31b0d

Download Submit
\Users\Admin\AppData\Roaming\Iexplorer\ffsgdgshdn.exe

Filesize
601KB

MD5
acae2d53ce7306de623253231a20fbfd

SHA1
56d620570ac28af58bff4ef3a84c4881af1935dc

SHA256
136323478fd3e7267b27501ec5842ec44521355cde59927d937592072f6eaf7d

SHA512
ad5a451627c32c2c13960fa316916720b308689fa3f764c421481edaaa571fab6e8e338434d83909c0f889e0a2495dc87af2407f873d9fdc16ff4ee9a6a31b0d

Download Submit
memory/1052-67-0x0000000076F30000-0x00000000770B0000-memory.dmp

Filesize
1.5MB

Download
memory/1052-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1540-56-0x0000000000250000-0x0000000000257000-memory.dmp

Filesize
28KB

Download
memory/1540-59-0x0000000076F30000-0x00000000770B0000-memory.dmp

Filesize
1.5MB

Download
memory/1540-57-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing