remcos | f1ee84bf85dec48e4b94e5967de93bbed0d1b96ef43d68c2aa0b8ab7675d2c70

General

Target

Payment receipt.exe
Size

488KB
MD5

42f46f5712661c1cde04667a69263196
SHA1

0441839c8aaf53c06ec48e698da276b499ba21b5
SHA256

f1ee84bf85dec48e4b94e5967de93bbed0d1b96ef43d68c2aa0b8ab7675d2c70
SHA512

2955f10a90c57dfc96f4006ce265843e75375be911548f4ea1e0546fa244c1090c746302507a765244b10b8fab4a4d23f57a061d9cc999355256fa9b3ec53821
SSDEEP

12288:VAJQhjuFi1ckK160/7qNPG4GT1jj8MW3XJ7I+GZb6qt+uP8:WJT41ckKE0/4G4u1jj8MWnJ7jG16w+/

Score

10^/10

remcos uc persistence rat

Malware Config

Extracted

Family

remcos

Botnet

UC

C2

ucremcz1.ddns.net:1823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
BIN.exe
copy_folder
BIN
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-X402GF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
bin
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

otjhuvh.exeotjhuvh.exe

pid process

3008 otjhuvh.exe
3800 otjhuvh.exe

pid	process
3008	otjhuvh.exe
3800	otjhuvh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

otjhuvh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnbwuh = "C:\\Users\\Admin\\AppData\\Roaming\\nrvgcfyksvarq\\cidrcgh.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\otjhuvh.exe\" C:\\Users\\Admin\\AppData\\Lo"	otjhuvh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

otjhuvh.exe

description pid process target process

PID 3008 set thread context of 3800 3008 otjhuvh.exe otjhuvh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

otjhuvh.exe

pid process

3008 otjhuvh.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

otjhuvh.exe

pid process

3800 otjhuvh.exe

description	pid	process	target process
PID 3008 set thread context of 3800	3008	otjhuvh.exe	otjhuvh.exe

pid	process
3008	otjhuvh.exe

pid	process
3800	otjhuvh.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Payment receipt.exeotjhuvh.exe

description	pid	process	target process
PID 5012 wrote to memory of 3008	5012	Payment receipt.exe	otjhuvh.exe
PID 5012 wrote to memory of 3008	5012	Payment receipt.exe	otjhuvh.exe
PID 5012 wrote to memory of 3008	5012	Payment receipt.exe	otjhuvh.exe
PID 3008 wrote to memory of 3800	3008	otjhuvh.exe	otjhuvh.exe
PID 3008 wrote to memory of 3800	3008	otjhuvh.exe	otjhuvh.exe
PID 3008 wrote to memory of 3800	3008	otjhuvh.exe	otjhuvh.exe
PID 3008 wrote to memory of 3800	3008	otjhuvh.exe	otjhuvh.exe

C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe
"C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe" C:\Users\Admin\AppData\Local\Temp\gjlhbsls.sn
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe
"C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fvfhpew.yw
Filesize
469KB

MD5
934e9cde12313d3640ceff4b3480e252

SHA1
7e269766eac4e846ccad8385c8e36409f265b5e8

SHA256
13dfff990385074af57e6eb20223d4cd7ff56f76cd00675854430a0929969d04

SHA512
6c73cca8fc2a95b6dffe2891888f107147e6185841c3a3145a616a8c3852bbc2c4530ac24975a6c8575c207539e5470e9a6335eefa9411b1ebc3b203f23c372d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjlhbsls.sn
Filesize
7KB

MD5
61a547ba66db3c5414000ec24cb6a1a9

SHA1
5a1780bcf6b4dea4a241fcf176da4263506cc0c5

SHA256
ead51cf059354582c49f319c681bc621c854a1dad31ad69de3d84ac20941d5b6

SHA512
6fd8a1c2b3bcee56b1c8f438969864bc8ca36b5472e11de8cad2cfffd075f49ee17e0fe91b449d6bb9b6bfff9b75dcf8ace1f5ef8be6bcd54db2c369c3b422ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe
Filesize
104KB

MD5
b762ac88d9d934e1711e631db2880135

SHA1
dfcd02307fa39c7c09779de4d3b520f90b7ffabf

SHA256
89f84d974662db251ac18275abf51fae9a958da0930c612210047250477f62b1

SHA512
a1701e1d7067283bfa77d07d79fe22d51ec0f71419248c6ef3e52efb190aff0daaa6edda6feeeb4ff97dac8654f6f0f2955da3d08b619b8b2e672a98fc767135

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe
Filesize
104KB

MD5
b762ac88d9d934e1711e631db2880135

SHA1
dfcd02307fa39c7c09779de4d3b520f90b7ffabf

SHA256
89f84d974662db251ac18275abf51fae9a958da0930c612210047250477f62b1

SHA512
a1701e1d7067283bfa77d07d79fe22d51ec0f71419248c6ef3e52efb190aff0daaa6edda6feeeb4ff97dac8654f6f0f2955da3d08b619b8b2e672a98fc767135

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe
Filesize
104KB

MD5
b762ac88d9d934e1711e631db2880135

SHA1
dfcd02307fa39c7c09779de4d3b520f90b7ffabf

SHA256
89f84d974662db251ac18275abf51fae9a958da0930c612210047250477f62b1

SHA512
a1701e1d7067283bfa77d07d79fe22d51ec0f71419248c6ef3e52efb190aff0daaa6edda6feeeb4ff97dac8654f6f0f2955da3d08b619b8b2e672a98fc767135

Download Submit
memory/3008-132-0x0000000000000000-mapping.dmp

Download
memory/3800-137-0x0000000000000000-mapping.dmp

Download
memory/3800-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3800-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing