remcos | e7df824addac322647a4fe1939335084a4c72620d94c4fd7b8665e703e3f7fde

General

Target

PURCHASE ORDER NO4 pdf.js
Size

867KB
MD5

2fe5245098354f7815f23996a250917a
SHA1

0ce8e1c4b93001d61aea6959daa71bed65544900
SHA256

e7df824addac322647a4fe1939335084a4c72620d94c4fd7b8665e703e3f7fde
SHA512

1226bec6e600114353c9c733cc8362e4a3b66fd90e42a890153b9e828201a503128a5aed308ca586069ff71e9a7567ae765b0aa517811a81eda71ecc634bb0bb
SSDEEP

12288:pk7NfBYCQ7TWo3g3C23BpIJ0qcpJpqIsIwGjzgtDIWihh0Kd22vuepMSZ1VA7SqS:Qxp2DI/Z1VA/S

Score

10^/10

remcos vjw0rm remotehost persistence rat trojan worm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.139.105.174:3111

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XI5CH7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
8	1116	wscript.exe
11	1116	wscript.exe
12	1116	wscript.exe
15	1116	wscript.exe
16	1116	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
2012	3am.exe
524	remcos.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfdRFaNTqV.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfdRFaNTqV.js	wscript.exe

Loads dropped DLL 2 IoCs

pid	Process
1352	cmd.exe
1352	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	3am.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	3am.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3am.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	3am.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 524 set thread context of 1932	524	remcos.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
524	remcos.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1116	1628	wscript.exe	27
PID 1628 wrote to memory of 1116	1628	wscript.exe	27
PID 1628 wrote to memory of 1116	1628	wscript.exe	27
PID 1628 wrote to memory of 2012	1628	wscript.exe	28
PID 1628 wrote to memory of 2012	1628	wscript.exe	28
PID 1628 wrote to memory of 2012	1628	wscript.exe	28
PID 1628 wrote to memory of 2012	1628	wscript.exe	28
PID 2012 wrote to memory of 920	2012	3am.exe	30
PID 2012 wrote to memory of 920	2012	3am.exe	30
PID 2012 wrote to memory of 920	2012	3am.exe	30
PID 2012 wrote to memory of 920	2012	3am.exe	30
PID 920 wrote to memory of 1352	920	WScript.exe	31
PID 920 wrote to memory of 1352	920	WScript.exe	31
PID 920 wrote to memory of 1352	920	WScript.exe	31
PID 920 wrote to memory of 1352	920	WScript.exe	31
PID 1352 wrote to memory of 524	1352	cmd.exe	33
PID 1352 wrote to memory of 524	1352	cmd.exe	33
PID 1352 wrote to memory of 524	1352	cmd.exe	33
PID 1352 wrote to memory of 524	1352	cmd.exe	33
PID 524 wrote to memory of 1932	524	remcos.exe	34
PID 524 wrote to memory of 1932	524	remcos.exe	34
PID 524 wrote to memory of 1932	524	remcos.exe	34
PID 524 wrote to memory of 1932	524	remcos.exe	34
PID 524 wrote to memory of 1932	524	remcos.exe	34

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO4 pdf.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NfdRFaNTqV.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1116
- C:\Users\Admin\AppData\Roaming\3am.exe
  "C:\Users\Admin\AppData\Roaming\3am.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\azzplgec.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:524
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        
        PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\azzplgec.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Roaming\3am.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
C:\Users\Admin\AppData\Roaming\3am.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
C:\Users\Admin\AppData\Roaming\NfdRFaNTqV.js

Filesize
8KB

MD5
6b5b268c221e96503a59756be7d696e7

SHA1
d9d40ca54aa3d21de66a23a4207e35f64c2111f1

SHA256
0b73692a7eef086fb0d4f9af58c48316273873f2b176324abd8b8fa3e9124d8b

SHA512
7b066f9661a5b0dd848c36ad0a1e6fb69f205f95cc1137de7a79375934d8349c9540e59331ed6497c0530b98c41585de109876c755bd6a83b4bf49511b3036b2

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
memory/1628-54-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1932-74-0x00000000000E0000-0x000000000015F000-memory.dmp

Filesize
508KB

Download
memory/1932-75-0x00000000000E0000-0x000000000015F000-memory.dmp

Filesize
508KB

Download
memory/2012-59-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing