remcos | b547223c829b933e0319e28af42ddd96098e7816c9dc0e472c4b722404b32bfd

General

Target

M_V_DOUG.exe
Size

557KB
MD5

8ba027e61920545c8b29c9c16e494b2f
SHA1

ca9cd55224dec90f68981e1b7fc2e5fd07b2d9cd
SHA256

4f3ac2facaae4e74a303e1c92b36c87372397fa19f93d3025cc6fa5c027a7b29
SHA512

c89886988feb692d6b6ff6a439490732e3e4d8aee3c3fc86514ac6a39874ccc50f8946f98c27158bae699f7d3912ac806ba9fbb0b5070bc48203771d5cea0b3d
SSDEEP

12288:O8Kk0rvkBJ4VfnfzTuL8qNSc0eXH4x5mpeB/jX7:OvXowVfbTiHwFeXYx4oD7

Score

10^/10

remcos xp_no startup persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Xp_no startup

C2

xpremcuz300622.ddns.net:3542

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-419DY7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

tcjbwmh.exetcjbwmh.exe

pid process

4244 tcjbwmh.exe
3476 tcjbwmh.exe

pid	process
4244	tcjbwmh.exe
3476	tcjbwmh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tcjbwmh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eusphyger = "C:\\Users\\Admin\\AppData\\Roaming\\mkvuck\\gtxb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tcjbwmh.exe\""	tcjbwmh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tcjbwmh.exe

description pid process target process

PID 4244 set thread context of 3476 4244 tcjbwmh.exe tcjbwmh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tcjbwmh.exe

pid process

4244 tcjbwmh.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tcjbwmh.exe

pid process

3476 tcjbwmh.exe

description	pid	process	target process
PID 4244 set thread context of 3476	4244	tcjbwmh.exe	tcjbwmh.exe

pid	process
4244	tcjbwmh.exe

pid	process
3476	tcjbwmh.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

M_V_DOUG.exetcjbwmh.exe

description	pid	process	target process
PID 1280 wrote to memory of 4244	1280	M_V_DOUG.exe	tcjbwmh.exe
PID 1280 wrote to memory of 4244	1280	M_V_DOUG.exe	tcjbwmh.exe
PID 1280 wrote to memory of 4244	1280	M_V_DOUG.exe	tcjbwmh.exe
PID 4244 wrote to memory of 3476	4244	tcjbwmh.exe	tcjbwmh.exe
PID 4244 wrote to memory of 3476	4244	tcjbwmh.exe	tcjbwmh.exe
PID 4244 wrote to memory of 3476	4244	tcjbwmh.exe	tcjbwmh.exe
PID 4244 wrote to memory of 3476	4244	tcjbwmh.exe	tcjbwmh.exe

C:\Users\Admin\AppData\Local\Temp\M_V_DOUG.exe
"C:\Users\Admin\AppData\Local\Temp\M_V_DOUG.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
"C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe
"C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpnem.y

Filesize
464KB

MD5
3f37ddb2660a13210b1c21edc4bbfa14

SHA1
296b94a7c2ede887a3c86d625b4bce086a5f24c9

SHA256
ece672155002814c612ae67bb9423f8483fd34c646b48c8c08e1e87253ac873b

SHA512
60595325aecabbfa9663ac84e4250c47a20a4866587eee4200a4708a02ae40c3bb2bf71eb7d107e18eb4492d7182562538f3eb19c65fd810345394ec3d0d64a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnbljxjqzwg.u

Filesize
7KB

MD5
2bc44ad3a12a2f57552b5835083e094c

SHA1
c6d93859fbd3624b0f5e9f37cc74c8048ec5b181

SHA256
b98fb6a96b83a2f696f7f49fe6f84a5489ce9bd3fe90f9fc1f3328c7f9e459f2

SHA512
17bfff128821e75f2f7527997b1d6c3e756a256d185ab4c4a280e7a9a1e1e685bbe96a0391f50cd1201cfd19a8bb151eb1b73753749246a66aecde3e046484e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe

Filesize
5KB

MD5
499572d2f4c38ea2313dd54dbe0c5aab

SHA1
2dab3630b17e9114cdb457179ad84b7a6d521b62

SHA256
5e640a6971cbc4bef2a5683b5055131b7e573256298708ae3a818b381011ecbe

SHA512
0af3211e9a897888bdf985ce31f02be0f486d506322fcd4acfd6cb07820c45f4f0107633d9396f7f84d34128db64375554d07f44364a170f6316861a3f675520

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe

Filesize
5KB

MD5
499572d2f4c38ea2313dd54dbe0c5aab

SHA1
2dab3630b17e9114cdb457179ad84b7a6d521b62

SHA256
5e640a6971cbc4bef2a5683b5055131b7e573256298708ae3a818b381011ecbe

SHA512
0af3211e9a897888bdf985ce31f02be0f486d506322fcd4acfd6cb07820c45f4f0107633d9396f7f84d34128db64375554d07f44364a170f6316861a3f675520

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcjbwmh.exe

Filesize
5KB

MD5
499572d2f4c38ea2313dd54dbe0c5aab

SHA1
2dab3630b17e9114cdb457179ad84b7a6d521b62

SHA256
5e640a6971cbc4bef2a5683b5055131b7e573256298708ae3a818b381011ecbe

SHA512
0af3211e9a897888bdf985ce31f02be0f486d506322fcd4acfd6cb07820c45f4f0107633d9396f7f84d34128db64375554d07f44364a170f6316861a3f675520

Download Submit
memory/3476-137-0x0000000000000000-mapping.dmp

Download
memory/3476-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3476-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4244-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing