remcos | eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2022, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5.exe
Size

463KB
MD5

b04d2ed0b42a05745993502ecdb2b919
SHA1

6c4ff60fa1b8192f20e4732b423f6611d1ff1a20
SHA256

eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f
SHA512

8272b4c96f93f15f4620c5b4512c99453e4beb0980b3fb4d2c608f2cf042f31a5f0745d0afa9e45b95f99f3489c2cdac591db3c143fcf758c442cf441def69f6
SSDEEP

6144:hOFBH/FMNjt18F+9a/NgAeDB4CcOtKp03b13a4LJ+sAOZZPWXbTcUn3yg:hOFtiNBuFgawDB4NOmuwsfZP4yg

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sonic.exe
copy_folder
yakkk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
gsgjdwg-ED8AWP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
fuckuuuuu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
4392	sonic.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4392	sonic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 2208	3328	5.exe	84
PID 3328 wrote to memory of 2208	3328	5.exe	84
PID 3328 wrote to memory of 2208	3328	5.exe	84
PID 2208 wrote to memory of 2200	2208	WScript.exe	86
PID 2208 wrote to memory of 2200	2208	WScript.exe	86
PID 2208 wrote to memory of 2200	2208	WScript.exe	86
PID 2200 wrote to memory of 4392	2200	cmd.exe	88
PID 2200 wrote to memory of 4392	2200	cmd.exe	88
PID 2200 wrote to memory of 4392	2200	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe
      C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
414B

MD5
70c091ce330be09a1a4b6d85e6838b02

SHA1
cb42a4cc53603b18f298e8adcdb4ad95468866c7

SHA256
96a0015a38dc3d553acb454937588a541852fdf1145274e20361e1059cf85741

SHA512
ad2c9f7be58e6d2c0ecf1834b08592216798f009ddc995b4dc882b09cb70dd4c98439835c2bf824ab915abe6033eb7c8b6f25ad604b6718ca1007695010b63a6

Download Submit
C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe

Filesize
463KB

MD5
b04d2ed0b42a05745993502ecdb2b919

SHA1
6c4ff60fa1b8192f20e4732b423f6611d1ff1a20

SHA256
eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f

SHA512
8272b4c96f93f15f4620c5b4512c99453e4beb0980b3fb4d2c608f2cf042f31a5f0745d0afa9e45b95f99f3489c2cdac591db3c143fcf758c442cf441def69f6

Download Submit
C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe

Filesize
463KB

MD5
b04d2ed0b42a05745993502ecdb2b919

SHA1
6c4ff60fa1b8192f20e4732b423f6611d1ff1a20

SHA256
eedb6886b650f7bc37bb934679e35e14f8666352dc1de985936ca243d3f5fe9f

SHA512
8272b4c96f93f15f4620c5b4512c99453e4beb0980b3fb4d2c608f2cf042f31a5f0745d0afa9e45b95f99f3489c2cdac591db3c143fcf758c442cf441def69f6

Download Submit