remcos | a7d483a24ac3326297b055b788a4163a59e56341c727dae392b331f4c4b86587

General

Target

tmp.exe
Size

469KB
MD5

5eb973a61f7450c780e2ba34b8eed6d4
SHA1

9b087c82fd7cdf80607178f071c2f077a58a0e88
SHA256

a7d483a24ac3326297b055b788a4163a59e56341c727dae392b331f4c4b86587
SHA512

46bbd45b82e8db6ec60267f902592436035adeebd41748419fb7aa99a675b268d906ebe8e879cec180d0a8033b95067bc8dbf4fcbc1f81a351ed2ac63ace1da3
SSDEEP

12288:Omnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSvLn9:2iLJbpI7I2WhQqZ7vL9

Score

10^/10

remcos static_win2 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Static_Win2

C2

51.210.137.26:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
stationwin.exe
copy_folder
stationwin
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logsstatic.dat
keylog_flag
false
keylog_folder
staticwin
mouse_option
false
mutex
stationwin-WF5LPE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Stationwin
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
3376	stationwin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	stationwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stationwin = "\"C:\\Users\\Admin\\AppData\\Roaming\\stationwin\\stationwin.exe\""	stationwin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	stationwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Stationwin = "\"C:\\Users\\Admin\\AppData\\Roaming\\stationwin\\stationwin.exe\""	stationwin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stationwin = "\"C:\\Users\\Admin\\AppData\\Roaming\\stationwin\\stationwin.exe\""	tmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Stationwin = "\"C:\\Users\\Admin\\AppData\\Roaming\\stationwin\\stationwin.exe\""	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3376 set thread context of 1860	3376	stationwin.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	tmp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3376	stationwin.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3376	stationwin.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 3552	1512	tmp.exe	79
PID 1512 wrote to memory of 3552	1512	tmp.exe	79
PID 1512 wrote to memory of 3552	1512	tmp.exe	79
PID 3552 wrote to memory of 2228	3552	WScript.exe	80
PID 3552 wrote to memory of 2228	3552	WScript.exe	80
PID 3552 wrote to memory of 2228	3552	WScript.exe	80
PID 2228 wrote to memory of 3376	2228	cmd.exe	82
PID 2228 wrote to memory of 3376	2228	cmd.exe	82
PID 2228 wrote to memory of 3376	2228	cmd.exe	82
PID 3376 wrote to memory of 1860	3376	stationwin.exe	83
PID 3376 wrote to memory of 1860	3376	stationwin.exe	83
PID 3376 wrote to memory of 1860	3376	stationwin.exe	83
PID 3376 wrote to memory of 1860	3376	stationwin.exe	83

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\stationwin\stationwin.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Roaming\stationwin\stationwin.exe
      C:\Users\Admin\AppData\Roaming\stationwin\stationwin.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
434B

MD5
320cafd40fbcc37ee4c93e5e73a3a2ff

SHA1
e1e9e920eeab7c7da395197715dfef1cde9f4403

SHA256
6d5a0ab27574e492be6aefe249c8f005fd6a15f54801a4da12976e976fa9b0dd

SHA512
82964055bce2ff9fb4a0602c8e4175a2f8b8e376bcb7ffd5d50f554788eab7ab3205e2637ec9d2ba4025d1e083ea5489678ae833994dfeacb89bc39d5d944406

Download Submit
C:\Users\Admin\AppData\Roaming\stationwin\stationwin.exe

Filesize
469KB

MD5
5eb973a61f7450c780e2ba34b8eed6d4

SHA1
9b087c82fd7cdf80607178f071c2f077a58a0e88

SHA256
a7d483a24ac3326297b055b788a4163a59e56341c727dae392b331f4c4b86587

SHA512
46bbd45b82e8db6ec60267f902592436035adeebd41748419fb7aa99a675b268d906ebe8e879cec180d0a8033b95067bc8dbf4fcbc1f81a351ed2ac63ace1da3

Download Submit
C:\Users\Admin\AppData\Roaming\stationwin\stationwin.exe

Filesize
469KB

MD5
5eb973a61f7450c780e2ba34b8eed6d4

SHA1
9b087c82fd7cdf80607178f071c2f077a58a0e88

SHA256
a7d483a24ac3326297b055b788a4163a59e56341c727dae392b331f4c4b86587

SHA512
46bbd45b82e8db6ec60267f902592436035adeebd41748419fb7aa99a675b268d906ebe8e879cec180d0a8033b95067bc8dbf4fcbc1f81a351ed2ac63ace1da3

Download Submit
memory/1860-139-0x00000000012F0000-0x000000000136F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing