remcos | 5fcd2b75332006a31b954cc43d15ff90e3f1b20baf45deee1577ad4a937fad24

General

Target

103_000RTGS224398_0571619530.exe
Size

478KB
MD5

a7245f2f42d562ba4effac50d5eb3a86
SHA1

3e55f2bd71bbfea911c85e2f536b57a2c19f8ba2
SHA256

dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7
SHA512

a844824fdd4f06f3e2fba245472a35bf9f326ca18de754c0e5f57227936fcd79900c2253005d549465d425d66cbe09ad5972bc701b1079235b858c47f8a4fffa
SSDEEP

6144:qweEpqL9VnSf5bAzdUaa6KoU87GJgBzDvjmnUGlOUj8/TiRSbgp2XCV7aCMGpGW/:bqBVSiLaVo2JoMoB/TaSEp2+7aCZcZnY

Score

10^/10

remcos remotehoststar persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHostStar

C2

41.216.183.226:41900

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0OUDX5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1520	arrwz.exe
1720	arrwz.exe

Loads dropped DLL 3 IoCs

pid	Process
1972	103_000RTGS224398_0571619530.exe
1972	103_000RTGS224398_0571619530.exe
1520	arrwz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\skxdakiccjna = "C:\\Users\\Admin\\AppData\\Roaming\\duiaanlvwbckwb\\vkjhxkbnfvqec.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\arrwz.exe\""	arrwz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 1720	1520	arrwz.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1520	arrwz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1520	1972	103_000RTGS224398_0571619530.exe	27
PID 1972 wrote to memory of 1520	1972	103_000RTGS224398_0571619530.exe	27
PID 1972 wrote to memory of 1520	1972	103_000RTGS224398_0571619530.exe	27
PID 1972 wrote to memory of 1520	1972	103_000RTGS224398_0571619530.exe	27
PID 1520 wrote to memory of 1720	1520	arrwz.exe	29
PID 1520 wrote to memory of 1720	1520	arrwz.exe	29
PID 1520 wrote to memory of 1720	1520	arrwz.exe	29
PID 1520 wrote to memory of 1720	1520	arrwz.exe	29
PID 1520 wrote to memory of 1720	1520	arrwz.exe	29

C:\Users\Admin\AppData\Local\Temp\103_000RTGS224398_0571619530.exe
"C:\Users\Admin\AppData\Local\Temp\103_000RTGS224398_0571619530.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\arrwz.exe
  "C:\Users\Admin\AppData\Local\Temp\arrwz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\arrwz.exe
    "C:\Users\Admin\AppData\Local\Temp\arrwz.exe"
    3⤵
    - Executes dropped EXE
    PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\arrwz.exe

Filesize
77KB

MD5
36a1e874d53243658484be856e6c55de

SHA1
77c9b0a399ad8fd70069929d3ab6a6531679a3cc

SHA256
a07bad73e097aa522375689866ccd506b03eddceeacfbc05d9610a1656f6735a

SHA512
b4660620b55bd2d42160d14d34a09c57484ce6cba8e5eba4c330b1abd14413865fbfb89dbe5763f55d5ce1adff2e21a65aa5293c22b3f8e546fd1fb21223a109

Download Submit
C:\Users\Admin\AppData\Local\Temp\arrwz.exe

Filesize
77KB

MD5
36a1e874d53243658484be856e6c55de

SHA1
77c9b0a399ad8fd70069929d3ab6a6531679a3cc

SHA256
a07bad73e097aa522375689866ccd506b03eddceeacfbc05d9610a1656f6735a

SHA512
b4660620b55bd2d42160d14d34a09c57484ce6cba8e5eba4c330b1abd14413865fbfb89dbe5763f55d5ce1adff2e21a65aa5293c22b3f8e546fd1fb21223a109

Download Submit
C:\Users\Admin\AppData\Local\Temp\arrwz.exe

Filesize
77KB

MD5
36a1e874d53243658484be856e6c55de

SHA1
77c9b0a399ad8fd70069929d3ab6a6531679a3cc

SHA256
a07bad73e097aa522375689866ccd506b03eddceeacfbc05d9610a1656f6735a

SHA512
b4660620b55bd2d42160d14d34a09c57484ce6cba8e5eba4c330b1abd14413865fbfb89dbe5763f55d5ce1adff2e21a65aa5293c22b3f8e546fd1fb21223a109

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqazpeylu.lwh

Filesize
7KB

MD5
a09675c43ba0475569168ea399e5fc62

SHA1
76dffd9b58d10d9ff56acc94aa6bdbb7e014c6e2

SHA256
4c43e66494e77166b952c020288d8d57da8192387114dc091b64f66085fd0054

SHA512
b13e4a237699ec81454f6d4d3243382edc0b8570308f37c97a58fa487058d68c5957b9bb733dcd399ceeebc70c9e172d511f79220afb1c45d1765e34f07fdffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtjtkjfatja.c

Filesize
469KB

MD5
b9fa0879a6bcd0b669a1477bb68a4a68

SHA1
79b8cce8584efb06a9f9cea4b5523c2354c0fd15

SHA256
6a6c2784e31fae7f86b3abb8f920a76dbeddc4bd73005006a5d237c008ce5d75

SHA512
c9fabe0ed23a6965d8a182d4eda36bd07108d41d78c13ce4b6b8e712e5d6a748103583532b19af977824d2b0b5faae07121766977ac1b07dfb8dbbee4154f966

Download Submit
\Users\Admin\AppData\Local\Temp\arrwz.exe

Filesize
77KB

MD5
36a1e874d53243658484be856e6c55de

SHA1
77c9b0a399ad8fd70069929d3ab6a6531679a3cc

SHA256
a07bad73e097aa522375689866ccd506b03eddceeacfbc05d9610a1656f6735a

SHA512
b4660620b55bd2d42160d14d34a09c57484ce6cba8e5eba4c330b1abd14413865fbfb89dbe5763f55d5ce1adff2e21a65aa5293c22b3f8e546fd1fb21223a109

Download Submit
\Users\Admin\AppData\Local\Temp\arrwz.exe

Filesize
77KB

MD5
36a1e874d53243658484be856e6c55de

SHA1
77c9b0a399ad8fd70069929d3ab6a6531679a3cc

SHA256
a07bad73e097aa522375689866ccd506b03eddceeacfbc05d9610a1656f6735a

SHA512
b4660620b55bd2d42160d14d34a09c57484ce6cba8e5eba4c330b1abd14413865fbfb89dbe5763f55d5ce1adff2e21a65aa5293c22b3f8e546fd1fb21223a109

Download Submit
\Users\Admin\AppData\Local\Temp\arrwz.exe

Filesize
77KB

MD5
36a1e874d53243658484be856e6c55de

SHA1
77c9b0a399ad8fd70069929d3ab6a6531679a3cc

SHA256
a07bad73e097aa522375689866ccd506b03eddceeacfbc05d9610a1656f6735a

SHA512
b4660620b55bd2d42160d14d34a09c57484ce6cba8e5eba4c330b1abd14413865fbfb89dbe5763f55d5ce1adff2e21a65aa5293c22b3f8e546fd1fb21223a109

Download Submit
memory/1520-57-0x0000000000000000-mapping.dmp

Download
memory/1720-64-0x00000000004327A4-mapping.dmp

Download
memory/1720-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1720-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1972-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing