remcos | 269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950

General

Target

a0c98858ea96edb2386c86e1786f3419.exe
Size

469KB
MD5

a0c98858ea96edb2386c86e1786f3419
SHA1

461ece495d357885b8ab78341374d830ad88cb76
SHA256

269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
SHA512

0d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSvn9:uiLJbpI7I2WhQqZ7v9

Score

10^/10

remcos firefox persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Firefox

C2

elew3le3lanle.freeddns.org:20309

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Firefox
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Z26APQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Firefox
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

5008 remcos.exe

pid	process
5008	remcos.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a0c98858ea96edb2386c86e1786f3419.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a0c98858ea96edb2386c86e1786f3419.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exea0c98858ea96edb2386c86e1786f3419.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Firefox = "\"C:\\ProgramData\\Firefox\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Firefox = "\"C:\\ProgramData\\Firefox\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a0c98858ea96edb2386c86e1786f3419.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Firefox = "\"C:\\ProgramData\\Firefox\\remcos.exe\""	a0c98858ea96edb2386c86e1786f3419.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	a0c98858ea96edb2386c86e1786f3419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Firefox = "\"C:\\ProgramData\\Firefox\\remcos.exe\""	a0c98858ea96edb2386c86e1786f3419.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

remcos.exe

description pid process target process

PID 5008 set thread context of 2176 5008 remcos.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 5008 set thread context of 2176	5008	remcos.exe	svchost.exe

Modifies registry class 1 IoCs

Processes:

a0c98858ea96edb2386c86e1786f3419.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	a0c98858ea96edb2386c86e1786f3419.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

remcos.exe

pid process

5008 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

5008 remcos.exe

pid	process
5008	remcos.exe

pid	process
5008	remcos.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

a0c98858ea96edb2386c86e1786f3419.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 3320 wrote to memory of 540	3320	a0c98858ea96edb2386c86e1786f3419.exe	WScript.exe
PID 3320 wrote to memory of 540	3320	a0c98858ea96edb2386c86e1786f3419.exe	WScript.exe
PID 3320 wrote to memory of 540	3320	a0c98858ea96edb2386c86e1786f3419.exe	WScript.exe
PID 540 wrote to memory of 2336	540	WScript.exe	cmd.exe
PID 540 wrote to memory of 2336	540	WScript.exe	cmd.exe
PID 540 wrote to memory of 2336	540	WScript.exe	cmd.exe
PID 2336 wrote to memory of 5008	2336	cmd.exe	remcos.exe
PID 2336 wrote to memory of 5008	2336	cmd.exe	remcos.exe
PID 2336 wrote to memory of 5008	2336	cmd.exe	remcos.exe
PID 5008 wrote to memory of 2176	5008	remcos.exe	svchost.exe
PID 5008 wrote to memory of 2176	5008	remcos.exe	svchost.exe
PID 5008 wrote to memory of 2176	5008	remcos.exe	svchost.exe
PID 5008 wrote to memory of 2176	5008	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a0c98858ea96edb2386c86e1786f3419.exe
"C:\Users\Admin\AppData\Local\Temp\a0c98858ea96edb2386c86e1786f3419.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Firefox\remcos.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\ProgramData\Firefox\remcos.exe
C:\ProgramData\Firefox\remcos.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Firefox\remcos.exe
Filesize
469KB

MD5
a0c98858ea96edb2386c86e1786f3419

SHA1
461ece495d357885b8ab78341374d830ad88cb76

SHA256
269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950

SHA512
0d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb

Download Submit
C:\ProgramData\Firefox\remcos.exe
Filesize
469KB

MD5
a0c98858ea96edb2386c86e1786f3419

SHA1
461ece495d357885b8ab78341374d830ad88cb76

SHA256
269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950

SHA512
0d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
564B

MD5
fd51eb3f6b52200eb2b5469a9d2e14e1

SHA1
5318c697fb5689e62322c00988f85857ee5ee799

SHA256
560765396c18f679fcc8fd5ea429bcb9469ba686219ecd509e8761a14bcf5a00

SHA512
0a2b3b368a3c09e78eec55cd5ee957da3a4a6f554aedf9f66d7a520d1430ca969df1f0b65f486687946725ce58854a728c5de38f65f87d67e98ff7207849ee4b

Download Submit
memory/540-132-0x0000000000000000-mapping.dmp

Download
memory/2176-138-0x0000000000000000-mapping.dmp

Download
memory/2176-139-0x0000000000C10000-0x0000000000C8F000-memory.dmp

Filesize
508KB

Download
memory/2336-134-0x0000000000000000-mapping.dmp

Download
memory/5008-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads