remcos | 5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b

General

Target

4841f41452ae6adfbfdcaa30e253261f.exe
Size

480KB
MD5

4841f41452ae6adfbfdcaa30e253261f
SHA1

5a51f6bddb0e890a710fe8c13017e8902e7123fd
SHA256

5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b
SHA512

220bca133859810728fc6d2df5ad8f789e4e1138ca76d51c809474ca721259863cbb9b81435fd9e9379a61f615816607eaa9414349625762a02ce60271444e1d

Score

10^/10

remcos 06192022 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

06192022

C2

nikahuve.ac.ug:6968

kalskala.ac.ug:6968

tuekisaa.ac.ug:6968

parthaha.ac.ug:6968

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
scxs.dat
keylog_flag
false
keylog_folder
forbas
keylog_path
%AppData%
mouse_option
false
mutex
cvxyttydfsgbghfgfhtd-RXTSAM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4841f41452ae6adfbfdcaa30e253261f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yjlgdlfzs = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dgzivqk\\Yjlgdlfzs.exe\""	4841f41452ae6adfbfdcaa30e253261f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4841f41452ae6adfbfdcaa30e253261f.exe

description pid process target process

PID 1092 set thread context of 1952 1092 4841f41452ae6adfbfdcaa30e253261f.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4841f41452ae6adfbfdcaa30e253261f.exe

pid process

1092 4841f41452ae6adfbfdcaa30e253261f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4841f41452ae6adfbfdcaa30e253261f.exe

description pid process

Token: SeDebugPrivilege 1092 4841f41452ae6adfbfdcaa30e253261f.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

1952 InstallUtil.exe

description	pid	process	target process
PID 1092 set thread context of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe

pid	process
1092	4841f41452ae6adfbfdcaa30e253261f.exe

description	pid	process
Token: SeDebugPrivilege	1092	4841f41452ae6adfbfdcaa30e253261f.exe

pid	process
1952	InstallUtil.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4841f41452ae6adfbfdcaa30e253261f.exe

description	pid	process	target process
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe
PID 1092 wrote to memory of 1952	1092	4841f41452ae6adfbfdcaa30e253261f.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\4841f41452ae6adfbfdcaa30e253261f.exe
"C:\Users\Admin\AppData\Local\Temp\4841f41452ae6adfbfdcaa30e253261f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-54-0x0000000001090000-0x000000000110E000-memory.dmp

Filesize
504KB

Download
memory/1092-55-0x0000000076571000-0x0000000076573000-memory.dmp

Filesize
8KB

Download
memory/1092-56-0x00000000006D0000-0x000000000075A000-memory.dmp

Filesize
552KB

Download
memory/1092-57-0x00000000004F0000-0x000000000053C000-memory.dmp

Filesize
304KB

Download
memory/1952-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-61-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-68-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-71-0x000000000043133D-mapping.dmp

Download
memory/1952-70-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-74-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1952-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing