remcos | f830ced2c0d06737392dddabd93828fa37430b0c6ec27cb7186c46d5e2f570b8

General

Target

Swift copy.exe
Size

551KB
MD5

9bf8c117b8737c7001b81b63fc13943b
SHA1

f50c1f889bec8791cedb78d29b13acd6a610c4fb
SHA256

f830ced2c0d06737392dddabd93828fa37430b0c6ec27cb7186c46d5e2f570b8
SHA512

286fdb320a344660497353f102f982af6dbdf4092571ef093fb9a073f299b0e1b7a4ad7d5b232cac8bb4751e8c52314bde488fcb17681914dabe240493ac8f8e
SSDEEP

12288:gyI0+stnJ1EDBFyrpXtCvjCw10Uov7uec1hn4Kl0WUX:g30+stvsF0xovjt10Uuc17bUX

Score

10^/10

remcos uc persistence rat

Malware Config

Extracted

Family

remcos

Botnet

UC

C2

ucremcz1.ddns.net:1823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
BIN.exe
copy_folder
BIN
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-X402GF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
bin
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

ipsfqzlahu.exeipsfqzlahu.exe

pid process

1120 ipsfqzlahu.exe
1100 ipsfqzlahu.exe
Loads dropped DLL 2 IoCs

Processes:

Swift copy.exeipsfqzlahu.exe

pid process

1464 Swift copy.exe
1120 ipsfqzlahu.exe

pid	process
1120	ipsfqzlahu.exe
1100	ipsfqzlahu.exe

pid	process
1464	Swift copy.exe
1120	ipsfqzlahu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ipsfqzlahu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbmflwqflvdxn = "C:\\Users\\Admin\\AppData\\Roaming\\cpioyxc\\opxiuifw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ipsfqzlahu.exe\" C:\\Users\\Admin\\AppData\\Loca"	ipsfqzlahu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ipsfqzlahu.exe

description pid process target process

PID 1120 set thread context of 1100 1120 ipsfqzlahu.exe ipsfqzlahu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ipsfqzlahu.exe

pid process

1120 ipsfqzlahu.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ipsfqzlahu.exe

pid process

1100 ipsfqzlahu.exe

description	pid	process	target process
PID 1120 set thread context of 1100	1120	ipsfqzlahu.exe	ipsfqzlahu.exe

pid	process
1120	ipsfqzlahu.exe

pid	process
1100	ipsfqzlahu.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Swift copy.exeipsfqzlahu.exe

description	pid	process	target process
PID 1464 wrote to memory of 1120	1464	Swift copy.exe	ipsfqzlahu.exe
PID 1464 wrote to memory of 1120	1464	Swift copy.exe	ipsfqzlahu.exe
PID 1464 wrote to memory of 1120	1464	Swift copy.exe	ipsfqzlahu.exe
PID 1464 wrote to memory of 1120	1464	Swift copy.exe	ipsfqzlahu.exe
PID 1120 wrote to memory of 1100	1120	ipsfqzlahu.exe	ipsfqzlahu.exe
PID 1120 wrote to memory of 1100	1120	ipsfqzlahu.exe	ipsfqzlahu.exe
PID 1120 wrote to memory of 1100	1120	ipsfqzlahu.exe	ipsfqzlahu.exe
PID 1120 wrote to memory of 1100	1120	ipsfqzlahu.exe	ipsfqzlahu.exe
PID 1120 wrote to memory of 1100	1120	ipsfqzlahu.exe	ipsfqzlahu.exe

C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe
"C:\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe" C:\Users\Admin\AppData\Local\Temp\dyhjcyzqwc.d
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe
"C:\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dyhjcyzqwc.d
Filesize
7KB

MD5
d691a0acf00e6d76022788791d12e1c9

SHA1
533dd3962b74fd506cc788ca8130458ab9a5c232

SHA256
9efeb3bbb5701ac2b8638d431df3be1e59020970a208fa797f4acd25fc1bb2d5

SHA512
e289b4a6d606bf021d28699426e8accda9c267fa2099ae81df4f3cc10086236c9550f0756d880cfdd8764622625589d523901057f69e912df43425fe037f885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eekgv.w
Filesize
469KB

MD5
e8197fed2f8f67d8dee14a50af9908e5

SHA1
420159fb6dcf08bc560ab7db7879ebe2ff72d130

SHA256
9b7ac0f4d5f3511aa4d3410d3e87cabc64469ba9ab8589fdd30ae61e8269e771

SHA512
af3cca9ee8807f717b6e607b06a8af15821f3b3045b89ca27f1bce7df2aade68f4fc618c2f34f35928887763b807a5fb7c69b9a85f921c55a1afe5f73e6297ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe
Filesize
267KB

MD5
ed0d3ca53ccaad84a09ad0613b79259f

SHA1
9c2585983bd6e53d469f55aa09766c96372f41b0

SHA256
dcb61c55ba74a131833f2b76c595b19ee447b05b744d19ab3900d74109eb5d98

SHA512
48db1973a0599d51911d56f469ba278139e13cb574cc24ab501db938275f32ce1fc152c3e2eb7f55cf7f21d29c82817d0a28393b76d4f9a7ea6633d1bab89c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe
Filesize
267KB

MD5
ed0d3ca53ccaad84a09ad0613b79259f

SHA1
9c2585983bd6e53d469f55aa09766c96372f41b0

SHA256
dcb61c55ba74a131833f2b76c595b19ee447b05b744d19ab3900d74109eb5d98

SHA512
48db1973a0599d51911d56f469ba278139e13cb574cc24ab501db938275f32ce1fc152c3e2eb7f55cf7f21d29c82817d0a28393b76d4f9a7ea6633d1bab89c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe
Filesize
267KB

MD5
ed0d3ca53ccaad84a09ad0613b79259f

SHA1
9c2585983bd6e53d469f55aa09766c96372f41b0

SHA256
dcb61c55ba74a131833f2b76c595b19ee447b05b744d19ab3900d74109eb5d98

SHA512
48db1973a0599d51911d56f469ba278139e13cb574cc24ab501db938275f32ce1fc152c3e2eb7f55cf7f21d29c82817d0a28393b76d4f9a7ea6633d1bab89c62

Download Submit
\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe
Filesize
267KB

MD5
ed0d3ca53ccaad84a09ad0613b79259f

SHA1
9c2585983bd6e53d469f55aa09766c96372f41b0

SHA256
dcb61c55ba74a131833f2b76c595b19ee447b05b744d19ab3900d74109eb5d98

SHA512
48db1973a0599d51911d56f469ba278139e13cb574cc24ab501db938275f32ce1fc152c3e2eb7f55cf7f21d29c82817d0a28393b76d4f9a7ea6633d1bab89c62

Download Submit
\Users\Admin\AppData\Local\Temp\ipsfqzlahu.exe
Filesize
267KB

MD5
ed0d3ca53ccaad84a09ad0613b79259f

SHA1
9c2585983bd6e53d469f55aa09766c96372f41b0

SHA256
dcb61c55ba74a131833f2b76c595b19ee447b05b744d19ab3900d74109eb5d98

SHA512
48db1973a0599d51911d56f469ba278139e13cb574cc24ab501db938275f32ce1fc152c3e2eb7f55cf7f21d29c82817d0a28393b76d4f9a7ea6633d1bab89c62

Download Submit
memory/1100-63-0x00000000004327A4-mapping.dmp

Download
memory/1100-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1100-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1120-56-0x0000000000000000-mapping.dmp

Download
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing