remcos | eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f

General

Target

5.exe
Size

463KB
MD5

b04d2ed0b42a05745993502ecdb2b919
SHA1

6c4ff60fa1b8192f20e4732b423f6611d1ff1a20
SHA256

eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f
SHA512

8272b4c96f93f15f4620c5b4512c99453e4beb0980b3fb4d2c608f2cf042f31a5f0745d0afa9e45b95f99f3489c2cdac591db3c143fcf758c442cf441def69f6
SSDEEP

6144:hOFBH/FMNjt18F+9a/NgAeDB4CcOtKp03b13a4LJ+sAOZZPWXbTcUn3yg:hOFtiNBuFgawDB4NOmuwsfZP4yg

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sonic.exe
copy_folder
yakkk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
gsgjdwg-ED8AWP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
fuckuuuuu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
956	sonic.exe

Loads dropped DLL 2 IoCs

pid	Process
888	cmd.exe
888	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
956	sonic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1324	1504	5.exe	26
PID 1504 wrote to memory of 1324	1504	5.exe	26
PID 1504 wrote to memory of 1324	1504	5.exe	26
PID 1504 wrote to memory of 1324	1504	5.exe	26
PID 1324 wrote to memory of 888	1324	WScript.exe	27
PID 1324 wrote to memory of 888	1324	WScript.exe	27
PID 1324 wrote to memory of 888	1324	WScript.exe	27
PID 1324 wrote to memory of 888	1324	WScript.exe	27
PID 888 wrote to memory of 956	888	cmd.exe	29
PID 888 wrote to memory of 956	888	cmd.exe	29
PID 888 wrote to memory of 956	888	cmd.exe	29
PID 888 wrote to memory of 956	888	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe
      C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
414B

MD5
70c091ce330be09a1a4b6d85e6838b02

SHA1
cb42a4cc53603b18f298e8adcdb4ad95468866c7

SHA256
96a0015a38dc3d553acb454937588a541852fdf1145274e20361e1059cf85741

SHA512
ad2c9f7be58e6d2c0ecf1834b08592216798f009ddc995b4dc882b09cb70dd4c98439835c2bf824ab915abe6033eb7c8b6f25ad604b6718ca1007695010b63a6

Download Submit
C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe

Filesize
463KB

MD5
b04d2ed0b42a05745993502ecdb2b919

SHA1
6c4ff60fa1b8192f20e4732b423f6611d1ff1a20

SHA256
eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f

SHA512
8272b4c96f93f15f4620c5b4512c99453e4beb0980b3fb4d2c608f2cf042f31a5f0745d0afa9e45b95f99f3489c2cdac591db3c143fcf758c442cf441def69f6

Download Submit
C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe

Filesize
463KB

MD5
b04d2ed0b42a05745993502ecdb2b919

SHA1
6c4ff60fa1b8192f20e4732b423f6611d1ff1a20

SHA256
eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f

SHA512
8272b4c96f93f15f4620c5b4512c99453e4beb0980b3fb4d2c608f2cf042f31a5f0745d0afa9e45b95f99f3489c2cdac591db3c143fcf758c442cf441def69f6

Download Submit
\Users\Admin\AppData\Roaming\yakkk\sonic.exe

Filesize
463KB

MD5
b04d2ed0b42a05745993502ecdb2b919

SHA1
6c4ff60fa1b8192f20e4732b423f6611d1ff1a20

SHA256
eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f

SHA512
8272b4c96f93f15f4620c5b4512c99453e4beb0980b3fb4d2c608f2cf042f31a5f0745d0afa9e45b95f99f3489c2cdac591db3c143fcf758c442cf441def69f6

Download Submit
\Users\Admin\AppData\Roaming\yakkk\sonic.exe

Filesize
463KB

MD5
b04d2ed0b42a05745993502ecdb2b919

SHA1
6c4ff60fa1b8192f20e4732b423f6611d1ff1a20

SHA256
eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f

SHA512
8272b4c96f93f15f4620c5b4512c99453e4beb0980b3fb4d2c608f2cf042f31a5f0745d0afa9e45b95f99f3489c2cdac591db3c143fcf758c442cf441def69f6

Download Submit
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing