remcos | 9920e53084316eb1fe823dd747dedf76a8abeb37e07d491a76c3e546f0cc865b

General

Target

swiftcopy.exe
Size

390.0MB
MD5

f101b3158db2bdfbbeb97867f6b3dd91
SHA1

a726050dab999854ae32feffd9fe0e75796cec64
SHA256

900f05edc300fae13b416e42a9368acf5a3956895b7c7812d209b8c56bff08ea
SHA512

b1ae04125e3531a636fd7347cd22df2ca06d4d4ff42951c0b1d59923fe78034bcf5a7ec81fbbd891c454835202103ac751f617ec811eba07b9f39bb605a56779
SSDEEP

12288:PKBzbrJriwnMyQlh/b9bIhjv9qXvHvHXJKSV:P+75iwMrdbKhz0/Hv/

Score

10^/10

remcos worldclass persistence rat

Malware Config

Extracted

Family

remcos

Botnet

worldclass

C2

91.193.75.188:60005

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
worldclass.exe
copy_folder
worldclass
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BY6BKA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
worldclass
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

worldclass.exeworldclass.exe

pid process

1008 worldclass.exe
1544 worldclass.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeworldclass.exe

pid process

700 cmd.exe
1008 worldclass.exe

pid	process
1008	worldclass.exe
1544	worldclass.exe

pid	process
700	cmd.exe
1008	worldclass.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

swiftcopy.exeworldclass.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	swiftcopy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\worldclass = "\"C:\\Users\\Admin\\AppData\\Roaming\\worldclass\\worldclass.exe\""	swiftcopy.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	worldclass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\worldclass = "\"C:\\Users\\Admin\\AppData\\Roaming\\worldclass\\worldclass.exe\""	worldclass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	worldclass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\worldclass = "\"C:\\Users\\Admin\\AppData\\Roaming\\worldclass\\worldclass.exe\""	worldclass.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	swiftcopy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\worldclass = "\"C:\\Users\\Admin\\AppData\\Roaming\\worldclass\\worldclass.exe\""	swiftcopy.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

swiftcopy.exeworldclass.exe

description	pid	process	target process
PID 628 set thread context of 556	628	swiftcopy.exe	swiftcopy.exe
PID 1008 set thread context of 1544	1008	worldclass.exe	worldclass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

worldclass.exe

pid process

1544 worldclass.exe

pid	process
1544	worldclass.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

swiftcopy.exeswiftcopy.exeWScript.execmd.exeworldclass.exe

description	pid	process	target process
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 628 wrote to memory of 556	628	swiftcopy.exe	swiftcopy.exe
PID 556 wrote to memory of 848	556	swiftcopy.exe	WScript.exe
PID 556 wrote to memory of 848	556	swiftcopy.exe	WScript.exe
PID 556 wrote to memory of 848	556	swiftcopy.exe	WScript.exe
PID 556 wrote to memory of 848	556	swiftcopy.exe	WScript.exe
PID 848 wrote to memory of 700	848	WScript.exe	cmd.exe
PID 848 wrote to memory of 700	848	WScript.exe	cmd.exe
PID 848 wrote to memory of 700	848	WScript.exe	cmd.exe
PID 848 wrote to memory of 700	848	WScript.exe	cmd.exe
PID 700 wrote to memory of 1008	700	cmd.exe	worldclass.exe
PID 700 wrote to memory of 1008	700	cmd.exe	worldclass.exe
PID 700 wrote to memory of 1008	700	cmd.exe	worldclass.exe
PID 700 wrote to memory of 1008	700	cmd.exe	worldclass.exe
PID 700 wrote to memory of 1008	700	cmd.exe	worldclass.exe
PID 700 wrote to memory of 1008	700	cmd.exe	worldclass.exe
PID 700 wrote to memory of 1008	700	cmd.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe
PID 1008 wrote to memory of 1544	1008	worldclass.exe	worldclass.exe

C:\Users\Admin\AppData\Local\Temp\swiftcopy.exe
"C:\Users\Admin\AppData\Local\Temp\swiftcopy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\swiftcopy.exe
"C:\Users\Admin\AppData\Local\Temp\swiftcopy.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wegrrxk.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\worldclass\worldclass.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Roaming\worldclass\worldclass.exe
C:\Users\Admin\AppData\Roaming\worldclass\worldclass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Roaming\worldclass\worldclass.exe
"C:\Users\Admin\AppData\Roaming\worldclass\worldclass.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wegrrxk.vbs

Filesize
434B

MD5
a4a28eb230fc2e09b69530a935514936

SHA1
094116e18776a84014e76cfe46e0b21de5245fbe

SHA256
0e5fb1081178e158c0eeebc64c04edfd5692ced5fda83b963f7997c33c40e198

SHA512
365e872a428c0bd15bece5bd1014beeb4618cce6ea572df1c9100ba8a6048ed5dfc6be5ec7999272082097830bf8703312f267dc2a92bc7e4d8b63a72e27cf5f

Download Submit
C:\Users\Admin\AppData\Roaming\worldclass\worldclass.exe

Filesize
332.8MB

MD5
0b073b6afc013d18a2a6bff6b030fdf9

SHA1
5d53d9f890aaadc28a73ee20a6d6ba81605a0c4b

SHA256
785396ef6b187fc63c2672b43e85da670f09553f910a0ae6d368ab9cb79c83ec

SHA512
31e758871de9e69066e5c498122040c23e420ce7adda223fad6c26aa401fb619e49cd974dbf353c0f014950f0495a30ae70d731403d2b88a16b18d679824b3cc

Download Submit
C:\Users\Admin\AppData\Roaming\worldclass\worldclass.exe

Filesize
319.9MB

MD5
37e8a0764c20fda33f27f3b2542f6a07

SHA1
6f41796eae22dda9b4f35c3d3256be35fbf8b2e8

SHA256
a38642a41d99110ab332539cc19c9e17a6bdc8e94c8d85fa9abc3ee2088bc7aa

SHA512
f333adf819903dc25f9369400b1d06b3a63395934f136e9ef1e8fa8601917737f0e95a5db1fc721dae734cad9c34887aa4c92907fd9661cbb2afbe7b2f6b3d55

Download Submit
C:\Users\Admin\AppData\Roaming\worldclass\worldclass.exe

Filesize
313.4MB

MD5
cd95e1060973f0896bfe0803269552ce

SHA1
1a12f34a15bd559ce180a01646ca2f61148e4822

SHA256
d0ed5e3df159b631fa3c65f986ef6a12285523a3c1dbd22acc513a372691ab22

SHA512
766d19c41f5c304d1293bd573587d876ea12adc840ff64d8b69c55fc1e9682bcf0773c82123e073d89527517817f447c6e65c6d755785a3f623e4ffdffce7a7c

Download Submit
\Users\Admin\AppData\Roaming\worldclass\worldclass.exe

Filesize
325.1MB

MD5
c40ecc0c7e8013816547f9cfd7b703a8

SHA1
0fa4d5bd2d504f087908feba865d53c37deb548a

SHA256
89a7de689901dff37e087e79144a8113429e7458e728b670da8883bed53dbde0

SHA512
f1b46e807d9d99099dd28bad729a57d6e978f0ccf841549f2745c31454020b616d5c1bb0caf4308f9f7decdd4ee4a584fbfcf86bbc80d9634778c9be066e4615

Download Submit
\Users\Admin\AppData\Roaming\worldclass\worldclass.exe

Filesize
335.2MB

MD5
c3e838535184d101d6a4beff04c5caa6

SHA1
8563d8ef5b92b31e99d6e158836876a760f3119b

SHA256
3c7fcd6c2cae26dec0a0f206d86e78ba45274d19e403c320dc8b44675f134f90

SHA512
bd5f8eaa263f5dde73b55abcd9935c0df10ab2d803f4abde49e2aa329131769a5c8353105d12f7ca28de10613c0b38c2225570e42ce6844fe9e5f35225b44d13

Download Submit
memory/556-61-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-81-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-64-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-66-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-69-0x000000000043292E-mapping.dmp

Download
memory/556-70-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-75-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-63-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-56-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-62-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-57-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/556-59-0x0000000000090000-0x000000000010F000-memory.dmp

Filesize
508KB

Download
memory/628-54-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/628-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/700-85-0x0000000000000000-mapping.dmp

Download
memory/848-82-0x0000000000000000-mapping.dmp

Download
memory/1008-90-0x0000000001190000-0x0000000001224000-memory.dmp

Filesize
592KB

Download
memory/1008-88-0x0000000000000000-mapping.dmp

Download
memory/1544-106-0x000000000043292E-mapping.dmp

Download
memory/1544-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1544-111-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1544-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads