remcos | 2886f0e76820ae13982438c457f4a59038c2538bc710f7766371278861476fd9

General

Target

PRINT_LE.exe
Size

557KB
MD5

8ba027e61920545c8b29c9c16e494b2f
SHA1

ca9cd55224dec90f68981e1b7fc2e5fd07b2d9cd
SHA256

4f3ac2facaae4e74a303e1c92b36c87372397fa19f93d3025cc6fa5c027a7b29
SHA512

c89886988feb692d6b6ff6a439490732e3e4d8aee3c3fc86514ac6a39874ccc50f8946f98c27158bae699f7d3912ac806ba9fbb0b5070bc48203771d5cea0b3d
SSDEEP

12288:O8Kk0rvkBJ4VfnfzTuL8qNSc0eXH4x5mpeB/jX7:OvXowVfbTiHwFeXYx4oD7

Score

10^/10

remcos xp_no startup persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Xp_no startup

C2

xpremcuz300622.ddns.net:3542

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-419DY7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

tcjbwmh.exetcjbwmh.exe

pid process

1368 tcjbwmh.exe
1044 tcjbwmh.exe
Loads dropped DLL 2 IoCs

Processes:

PRINT_LE.exetcjbwmh.exe

pid process

1704 PRINT_LE.exe
1368 tcjbwmh.exe

pid	process
1368	tcjbwmh.exe
1044	tcjbwmh.exe

pid	process
1704	PRINT_LE.exe
1368	tcjbwmh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tcjbwmh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\eusphyger = "C:\\Users\\Admin\\AppData\\Roaming\\mkvuck\\gtxb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tcjbwmh.exe\""	tcjbwmh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tcjbwmh.exe

description pid process target process

PID 1368 set thread context of 1044 1368 tcjbwmh.exe tcjbwmh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tcjbwmh.exe

pid process

1368 tcjbwmh.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tcjbwmh.exe

pid process

1044 tcjbwmh.exe

description	pid	process	target process
PID 1368 set thread context of 1044	1368	tcjbwmh.exe	tcjbwmh.exe

pid	process
1368	tcjbwmh.exe

pid	process
1044	tcjbwmh.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PRINT_LE.exetcjbwmh.exe

description	pid	process	target process
PID 1704 wrote to memory of 1368	1704	PRINT_LE.exe	tcjbwmh.exe
PID 1704 wrote to memory of 1368	1704	PRINT_LE.exe	tcjbwmh.exe
PID 1704 wrote to memory of 1368	1704	PRINT_LE.exe	tcjbwmh.exe
PID 1704 wrote to memory of 1368	1704	PRINT_LE.exe	tcjbwmh.exe
PID 1368 wrote to memory of 1044	1368	tcjbwmh.exe	tcjbwmh.exe
PID 1368 wrote to memory of 1044	1368	tcjbwmh.exe	tcjbwmh.exe
PID 1368 wrote to memory of 1044	1368	tcjbwmh.exe	tcjbwmh.exe
PID 1368 wrote to memory of 1044	1368	tcjbwmh.exe	tcjbwmh.exe
PID 1368 wrote to memory of 1044	1368	tcjbwmh.exe	tcjbwmh.exe

C:\Users\Admin\AppData\Local\Temp\PRINT_LE.exe
"C:\Users\Admin\AppData\Local\Temp\PRINT_LE.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
"C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
"C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpnem.y
Filesize
464KB

MD5
3f37ddb2660a13210b1c21edc4bbfa14

SHA1
296b94a7c2ede887a3c86d625b4bce086a5f24c9

SHA256
ece672155002814c612ae67bb9423f8483fd34c646b48c8c08e1e87253ac873b

SHA512
60595325aecabbfa9663ac84e4250c47a20a4866587eee4200a4708a02ae40c3bb2bf71eb7d107e18eb4492d7182562538f3eb19c65fd810345394ec3d0d64a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnbljxjqzwg.u
Filesize
7KB

MD5
2bc44ad3a12a2f57552b5835083e094c

SHA1
c6d93859fbd3624b0f5e9f37cc74c8048ec5b181

SHA256
b98fb6a96b83a2f696f7f49fe6f84a5489ce9bd3fe90f9fc1f3328c7f9e459f2

SHA512
17bfff128821e75f2f7527997b1d6c3e756a256d185ab4c4a280e7a9a1e1e685bbe96a0391f50cd1201cfd19a8bb151eb1b73753749246a66aecde3e046484e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
Filesize
5KB

MD5
499572d2f4c38ea2313dd54dbe0c5aab

SHA1
2dab3630b17e9114cdb457179ad84b7a6d521b62

SHA256
5e640a6971cbc4bef2a5683b5055131b7e573256298708ae3a818b381011ecbe

SHA512
0af3211e9a897888bdf985ce31f02be0f486d506322fcd4acfd6cb07820c45f4f0107633d9396f7f84d34128db64375554d07f44364a170f6316861a3f675520

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
Filesize
5KB

MD5
499572d2f4c38ea2313dd54dbe0c5aab

SHA1
2dab3630b17e9114cdb457179ad84b7a6d521b62

SHA256
5e640a6971cbc4bef2a5683b5055131b7e573256298708ae3a818b381011ecbe

SHA512
0af3211e9a897888bdf985ce31f02be0f486d506322fcd4acfd6cb07820c45f4f0107633d9396f7f84d34128db64375554d07f44364a170f6316861a3f675520

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
Filesize
5KB

MD5
499572d2f4c38ea2313dd54dbe0c5aab

SHA1
2dab3630b17e9114cdb457179ad84b7a6d521b62

SHA256
5e640a6971cbc4bef2a5683b5055131b7e573256298708ae3a818b381011ecbe

SHA512
0af3211e9a897888bdf985ce31f02be0f486d506322fcd4acfd6cb07820c45f4f0107633d9396f7f84d34128db64375554d07f44364a170f6316861a3f675520

Download Submit
\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
Filesize
5KB

MD5
499572d2f4c38ea2313dd54dbe0c5aab

SHA1
2dab3630b17e9114cdb457179ad84b7a6d521b62

SHA256
5e640a6971cbc4bef2a5683b5055131b7e573256298708ae3a818b381011ecbe

SHA512
0af3211e9a897888bdf985ce31f02be0f486d506322fcd4acfd6cb07820c45f4f0107633d9396f7f84d34128db64375554d07f44364a170f6316861a3f675520

Download Submit
\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
Filesize
5KB

MD5
499572d2f4c38ea2313dd54dbe0c5aab

SHA1
2dab3630b17e9114cdb457179ad84b7a6d521b62

SHA256
5e640a6971cbc4bef2a5683b5055131b7e573256298708ae3a818b381011ecbe

SHA512
0af3211e9a897888bdf985ce31f02be0f486d506322fcd4acfd6cb07820c45f4f0107633d9396f7f84d34128db64375554d07f44364a170f6316861a3f675520

Download Submit
memory/1044-63-0x000000000043133D-mapping.dmp

Download
memory/1044-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1044-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1368-56-0x0000000000000000-mapping.dmp

Download
memory/1704-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing