remcos | 4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

General

Target

file.exe
Size

972KB
MD5

3d21e82b2ab2331133cbf0fe32c43f7a
SHA1

7bcd150f9e1377bb3439fac2d631a59c2bf06fac
SHA256

4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861
SHA512

6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529
SSDEEP

12288:jagh/PsZ1DX/VDJKqzbq+HyByFAchZgiHeRhWqK2N0xW8yhn4VTBRWhA84PT2kyD:jagh/PBUtjFxgUemxhyah7XTDTs

Score

10^/10

remcos awele persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Awele

C2

gdyhjjdhbvxgsfe.gotdns.ch:2718

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
qoc.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-LLTFOH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
mix
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

qoc.exeqoc.exe

pid process

316 qoc.exe
1812 qoc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1808 cmd.exe
1808 cmd.exe

pid	process
316	qoc.exe
1812	qoc.exe

pid	process
1808	cmd.exe
1808	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exeqoc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\mix = "\"C:\\Users\\Admin\\AppData\\Roaming\\qoc.exe\""	file.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\mix = "\"C:\\Users\\Admin\\AppData\\Roaming\\qoc.exe\""	qoc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

file.exeqoc.exe

description pid process target process

PID 1320 set thread context of 580 1320 file.exe file.exe
PID 316 set thread context of 1812 316 qoc.exe qoc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

qoc.exe

pid process

1812 qoc.exe

description	pid	process	target process
PID 1320 set thread context of 580	1320	file.exe	file.exe
PID 316 set thread context of 1812	316	qoc.exe	qoc.exe

pid	process
1812	qoc.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

file.exefile.exeWScript.execmd.exeqoc.exe

description	pid	process	target process
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 1320 wrote to memory of 580	1320	file.exe	file.exe
PID 580 wrote to memory of 828	580	file.exe	WScript.exe
PID 580 wrote to memory of 828	580	file.exe	WScript.exe
PID 580 wrote to memory of 828	580	file.exe	WScript.exe
PID 580 wrote to memory of 828	580	file.exe	WScript.exe
PID 828 wrote to memory of 1808	828	WScript.exe	cmd.exe
PID 828 wrote to memory of 1808	828	WScript.exe	cmd.exe
PID 828 wrote to memory of 1808	828	WScript.exe	cmd.exe
PID 828 wrote to memory of 1808	828	WScript.exe	cmd.exe
PID 1808 wrote to memory of 316	1808	cmd.exe	qoc.exe
PID 1808 wrote to memory of 316	1808	cmd.exe	qoc.exe
PID 1808 wrote to memory of 316	1808	cmd.exe	qoc.exe
PID 1808 wrote to memory of 316	1808	cmd.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe
PID 316 wrote to memory of 1812	316	qoc.exe	qoc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\qoc.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Roaming\qoc.exe
C:\Users\Admin\AppData\Roaming\qoc.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Roaming\qoc.exe
"C:\Users\Admin\AppData\Roaming\qoc.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
398B

MD5
9edf722c5b68fc5befaf057c2aad1ccb

SHA1
0b079fc86d4c859ecb3c1a1893b6ffae2eb1e2cb

SHA256
bfdf30f700f36f615a0b3a9389bdaa2b3a334ece816e95a3090f7c41ec8efba6

SHA512
ea4f1e5842c38f998f2050004f4af9ffedeb0bbd4e6cf9e29b037f9659d48dd17b477a2b0ab23c1b6f8b94c4355a17f6155965bada1b98fd12c2868ec7ea82fc

Download Submit
C:\Users\Admin\AppData\Roaming\qoc.exe
Filesize
972KB

MD5
3d21e82b2ab2331133cbf0fe32c43f7a

SHA1
7bcd150f9e1377bb3439fac2d631a59c2bf06fac

SHA256
4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

SHA512
6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

Download Submit
C:\Users\Admin\AppData\Roaming\qoc.exe
Filesize
972KB

MD5
3d21e82b2ab2331133cbf0fe32c43f7a

SHA1
7bcd150f9e1377bb3439fac2d631a59c2bf06fac

SHA256
4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

SHA512
6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

Download Submit
C:\Users\Admin\AppData\Roaming\qoc.exe
Filesize
972KB

MD5
3d21e82b2ab2331133cbf0fe32c43f7a

SHA1
7bcd150f9e1377bb3439fac2d631a59c2bf06fac

SHA256
4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

SHA512
6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

Download Submit
\Users\Admin\AppData\Roaming\qoc.exe
Filesize
972KB

MD5
3d21e82b2ab2331133cbf0fe32c43f7a

SHA1
7bcd150f9e1377bb3439fac2d631a59c2bf06fac

SHA256
4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

SHA512
6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

Download Submit
\Users\Admin\AppData\Roaming\qoc.exe
Filesize
972KB

MD5
3d21e82b2ab2331133cbf0fe32c43f7a

SHA1
7bcd150f9e1377bb3439fac2d631a59c2bf06fac

SHA256
4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

SHA512
6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

Download Submit
memory/316-88-0x0000000000980000-0x0000000000A7A000-memory.dmp

Filesize
1000KB

Download
memory/316-86-0x0000000000000000-mapping.dmp

Download
memory/580-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-73-0x00000000004327A4-mapping.dmp

Download
memory/580-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/580-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/828-78-0x0000000000000000-mapping.dmp

Download
memory/1320-56-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/1320-59-0x00000000058F0000-0x000000000596C000-memory.dmp

Filesize
496KB

Download
memory/1320-58-0x0000000005840000-0x00000000058F2000-memory.dmp

Filesize
712KB

Download
memory/1320-57-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/1320-54-0x0000000000860000-0x000000000095A000-memory.dmp

Filesize
1000KB

Download
memory/1320-55-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1808-82-0x0000000000000000-mapping.dmp

Download
memory/1812-103-0x00000000004327A4-mapping.dmp

Download
memory/1812-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1812-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1812-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing