remcos | eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

General

Target

UUS.exe
Size

1.1MB
MD5

a3cc5b79c80fdc265d97ea7c73ae8017
SHA1

b9514255b5aebb6b07a133a0f70124c9a456ade0
SHA256

eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2
SHA512

b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730
SSDEEP

24576:/ekPPpLnSJQwtTdFoBKvq4wL404YIE1Zu7/s8b/dROp6HlzF:DhneQwTFykqfL4wIE1U7JSEHlzF

Score

10^/10

remcos ud-host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

UD-Host

C2

amegroupofschoos32.sytes.net:4820

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
dos.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
mouse_option
false
mutex
Rmc-7F587C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ax
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
1012	dos.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	cmd.exe
1872	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	UUS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ax = "\"C:\\Users\\Admin\\AppData\\Roaming\\dos.exe\""	UUS.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	UUS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ax = "\"C:\\Users\\Admin\\AppData\\Roaming\\dos.exe\""	UUS.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 856	1112	UUS.exe	26

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 1112 wrote to memory of 856	1112	UUS.exe	26
PID 856 wrote to memory of 1264	856	UUS.exe	27
PID 856 wrote to memory of 1264	856	UUS.exe	27
PID 856 wrote to memory of 1264	856	UUS.exe	27
PID 856 wrote to memory of 1264	856	UUS.exe	27
PID 1264 wrote to memory of 1872	1264	WScript.exe	28
PID 1264 wrote to memory of 1872	1264	WScript.exe	28
PID 1264 wrote to memory of 1872	1264	WScript.exe	28
PID 1264 wrote to memory of 1872	1264	WScript.exe	28
PID 1872 wrote to memory of 1012	1872	cmd.exe	30
PID 1872 wrote to memory of 1012	1872	cmd.exe	30
PID 1872 wrote to memory of 1012	1872	cmd.exe	30
PID 1872 wrote to memory of 1012	1872	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\UUS.exe
"C:\Users\Admin\AppData\Local\Temp\UUS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\UUS.exe
  "C:\Users\Admin\AppData\Local\Temp\UUS.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\dos.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Users\Admin\AppData\Roaming\dos.exe
        
        C:\Users\Admin\AppData\Roaming\dos.exe
        5⤵
        Executes dropped EXE
        
        PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
398B

MD5
900bef8cebe89717a150a46ada498865

SHA1
f56e326209561a9baffeae921deefad15bb7a699

SHA256
65be12a911de0a8ca2019e4bc52118fc2521b257aafae055bf6b1dff9247fa5c

SHA512
eccf6ddd112f2219d52ef1feb70cab487d7d88bf8ca8637ca2f2cb5121da781dc9268bda45617191c1624957cd5df0b6b086e01fe868a325cac48f2e5f284e11

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
a3cc5b79c80fdc265d97ea7c73ae8017

SHA1
b9514255b5aebb6b07a133a0f70124c9a456ade0

SHA256
eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

SHA512
b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
a3cc5b79c80fdc265d97ea7c73ae8017

SHA1
b9514255b5aebb6b07a133a0f70124c9a456ade0

SHA256
eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

SHA512
b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730

Download Submit
\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
a3cc5b79c80fdc265d97ea7c73ae8017

SHA1
b9514255b5aebb6b07a133a0f70124c9a456ade0

SHA256
eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

SHA512
b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730

Download Submit
\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
a3cc5b79c80fdc265d97ea7c73ae8017

SHA1
b9514255b5aebb6b07a133a0f70124c9a456ade0

SHA256
eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

SHA512
b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730

Download Submit
memory/856-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-87-0x0000000000DE0000-0x0000000000EF6000-memory.dmp

Filesize
1.1MB

Download
memory/1112-54-0x0000000000C30000-0x0000000000D46000-memory.dmp

Filesize
1.1MB

Download
memory/1112-58-0x0000000005650000-0x00000000056CC000-memory.dmp

Filesize
496KB

Download
memory/1112-57-0x0000000005030000-0x0000000005102000-memory.dmp

Filesize
840KB

Download
memory/1112-56-0x0000000000550000-0x0000000000566000-memory.dmp

Filesize
88KB

Download
memory/1112-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing