remcos | 709bbba61869b8d1858198010a92226f4ea1fb7d2c95dc33fbec4262980327ac

General

Target

QUOTE # EM067022.exe
Size

6KB
MD5

588dc78669c70ad45eefa0f2f7497815
SHA1

b90622241361b61445565eb15404dfbfa53561e4
SHA256

85d306912be80587264953469ca21f62da4c6b7cd1913b794787a563f90ef48c
SHA512

c57ad96fd559abebef976f41a30bb1cca86f3dc725765100bd6d7ba26bd673838d88df8ed9b748534a2d9ba681e4fe27c8fd291772c736141017c5ebf07f0ab3
SSDEEP

96:P/0MlfkKuMroRDQU2BwI47oxCXkMa/kjEthqFnU:3RZnctQUbIYXrasQrf

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.111.234.110:5888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ULBEJI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4236-153-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/4236-156-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/5072-154-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/5072-157-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4236-153-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/4532-155-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4236-156-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/5072-154-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/5072-157-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QUOTE # EM067022.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	QUOTE # EM067022.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

QUOTE # EM067022.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	QUOTE # EM067022.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QUOTE # EM067022.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iaidjxhpg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Yvtngbykt\\Iaidjxhpg.exe\""	QUOTE # EM067022.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTE # EM067022.exeQUOTE # EM067022.exe

description	pid	process	target process
PID 4760 set thread context of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 set thread context of 5072	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 set thread context of 4236	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 set thread context of 4532	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeQUOTE # EM067022.exeQUOTE # EM067022.exe

pid	process
4320	powershell.exe
4320	powershell.exe
5072	QUOTE # EM067022.exe
5072	QUOTE # EM067022.exe
4532	QUOTE # EM067022.exe
4532	QUOTE # EM067022.exe
5072	QUOTE # EM067022.exe
5072	QUOTE # EM067022.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

QUOTE # EM067022.exe

pid process

4724 QUOTE # EM067022.exe
4724 QUOTE # EM067022.exe
4724 QUOTE # EM067022.exe
4724 QUOTE # EM067022.exe
4724 QUOTE # EM067022.exe

pid	process
4724	QUOTE # EM067022.exe
4724	QUOTE # EM067022.exe
4724	QUOTE # EM067022.exe
4724	QUOTE # EM067022.exe
4724	QUOTE # EM067022.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

QUOTE # EM067022.exepowershell.exeQUOTE # EM067022.exe

description	pid	process
Token: SeDebugPrivilege	4760	QUOTE # EM067022.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	4532	QUOTE # EM067022.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

QUOTE # EM067022.exeQUOTE # EM067022.exe

description	pid	process	target process
PID 4760 wrote to memory of 4320	4760	QUOTE # EM067022.exe	powershell.exe
PID 4760 wrote to memory of 4320	4760	QUOTE # EM067022.exe	powershell.exe
PID 4760 wrote to memory of 4320	4760	QUOTE # EM067022.exe	powershell.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4760 wrote to memory of 4724	4760	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 5072	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 5072	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 5072	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 5072	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 3096	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 3096	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 3096	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 4236	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 4236	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 4236	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 4236	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 3596	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 3596	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 3596	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 4532	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 4532	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 4532	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe
PID 4724 wrote to memory of 4532	4724	QUOTE # EM067022.exe	QUOTE # EM067022.exe

C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe" /stext "C:\Users\Admin\AppData\Local\Temp\daey"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nujrvfs"
3⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yxwbwydxjqh"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yxwbwydxjqh"
3⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE # EM067022.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nujrvfs"
3⤵
- Accesses Microsoft Outlook accounts
PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\daey

Filesize
4KB

MD5
30177e1276595fd69ea96b692f49d776

SHA1
75769c29031ca1ad8e175dd700c74b5e35c5b0c7

SHA256
76d4066990e2ee2776f733a25ce23e9af545fd6f1a3b5760d603bdc05d9402d5

SHA512
ccdf20174d299de8ec21445faaf4ebe95c04bd7634c9fe138ba54262b754620c2dfd53a5c94b7d53518181d2eab7b5c97d7933d3a66d05220b06aee120893d4b

Download Submit
memory/3096-149-0x0000000000000000-mapping.dmp

Download
memory/3596-151-0x0000000000000000-mapping.dmp

Download
memory/4236-153-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4236-150-0x0000000000000000-mapping.dmp

Download
memory/4236-156-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4320-139-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/4320-135-0x0000000004D60000-0x0000000004D96000-memory.dmp

Filesize
216KB

Download
memory/4320-140-0x0000000007B90000-0x000000000820A000-memory.dmp

Filesize
6.5MB

Download
memory/4320-141-0x0000000006840000-0x000000000685A000-memory.dmp

Filesize
104KB

Download
memory/4320-134-0x0000000000000000-mapping.dmp

Download
memory/4320-136-0x00000000053E0000-0x0000000005A08000-memory.dmp

Filesize
6.2MB

Download
memory/4320-137-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4320-138-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4532-155-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4532-159-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4532-152-0x0000000000000000-mapping.dmp

Download
memory/4724-142-0x0000000000000000-mapping.dmp

Download
memory/4724-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4724-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4724-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4724-146-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4724-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4760-132-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/4760-133-0x0000000008E90000-0x0000000008EB2000-memory.dmp

Filesize
136KB

Download
memory/5072-154-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5072-148-0x0000000000000000-mapping.dmp

Download
memory/5072-157-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads