remcos | 1ef167a1328330c932ed31e21b40a0a9d00d3eb8b55a80925df68a2d5f4aaade

General

Target

tmp.exe
Size

614KB
MD5

2dc355cbaeae404f2fed99736a82a517
SHA1

5a956af57cdce69fc09811a5cfd12b20cb59ab82
SHA256

1ef167a1328330c932ed31e21b40a0a9d00d3eb8b55a80925df68a2d5f4aaade
SHA512

e814b6b8cab1f58a0b94dc6b28f6807f97fdf746866d743a0da97668d403223a405949c456454fddd6649af34663adc04b1554db28372630614143180ff25419
SSDEEP

12288:+YA/vlQOY9MOfokgPFmwIqF0d2N8Pqu9yv4R2WEOLSuHv4:+YAXGOY9MOfokgdKq+S502DOLlw

Score

10^/10

remcos first-send persistence rat

Malware Config

Extracted

Family

remcos

Botnet

First-Send

C2

top.not4abuse1.xyz:1558

sub.not4abuse1.xyz:1558

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmcs
mouse_option
false
mutex
Rmc-4RNJ4J
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
20
startup_value
Remcos
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Mail;Payment;Bank

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1284	chgbio.exe
960	chgbio.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	tmp.exe
1284	chgbio.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ickl = "C:\\Users\\Admin\\AppData\\Roaming\\tiipatgsvqr\\fgeetyp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\chgbio.exe\" C:\\Users\\Admin\\AppData\\Local"	chgbio.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 960	1284	chgbio.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1284	chgbio.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
960	chgbio.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1284	1692	tmp.exe	27
PID 1692 wrote to memory of 1284	1692	tmp.exe	27
PID 1692 wrote to memory of 1284	1692	tmp.exe	27
PID 1692 wrote to memory of 1284	1692	tmp.exe	27
PID 1284 wrote to memory of 960	1284	chgbio.exe	28
PID 1284 wrote to memory of 960	1284	chgbio.exe	28
PID 1284 wrote to memory of 960	1284	chgbio.exe	28
PID 1284 wrote to memory of 960	1284	chgbio.exe	28
PID 1284 wrote to memory of 960	1284	chgbio.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\chgbio.exe
  "C:\Users\Admin\AppData\Local\Temp\chgbio.exe" C:\Users\Admin\AppData\Local\Temp\criijvdrob.ca
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\chgbio.exe
    "C:\Users\Admin\AppData\Local\Temp\chgbio.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chgbio.exe

Filesize
332KB

MD5
173f1de107aefed5759513ecf4fee092

SHA1
cb4f5d546632f129c3cf2f2c4b22202dc31334f2

SHA256
f66e7192a1f20d41326664103f2c7c0a975c16919c864c652a128679bedbe6e9

SHA512
d42a7b9f2238a9192c2903457c66013d21d3334110898765d7b2d819f001d5630249660529c7c1695f9477630bc9cea71620f05d6ed744efccd511724080945e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chgbio.exe

Filesize
332KB

MD5
173f1de107aefed5759513ecf4fee092

SHA1
cb4f5d546632f129c3cf2f2c4b22202dc31334f2

SHA256
f66e7192a1f20d41326664103f2c7c0a975c16919c864c652a128679bedbe6e9

SHA512
d42a7b9f2238a9192c2903457c66013d21d3334110898765d7b2d819f001d5630249660529c7c1695f9477630bc9cea71620f05d6ed744efccd511724080945e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chgbio.exe

Filesize
332KB

MD5
173f1de107aefed5759513ecf4fee092

SHA1
cb4f5d546632f129c3cf2f2c4b22202dc31334f2

SHA256
f66e7192a1f20d41326664103f2c7c0a975c16919c864c652a128679bedbe6e9

SHA512
d42a7b9f2238a9192c2903457c66013d21d3334110898765d7b2d819f001d5630249660529c7c1695f9477630bc9cea71620f05d6ed744efccd511724080945e

Download Submit
C:\Users\Admin\AppData\Local\Temp\criijvdrob.ca

Filesize
7KB

MD5
dd97f27b0cc1eb85c007c18f100a1c4f

SHA1
a777181b17267159dd792bc1db1b53a99de7b635

SHA256
09e103504f02475b6031b42ebf6e749709035e3fe9225e10bbb38f01336ad4ec

SHA512
00f1836b5b348c6b96c2986ff06899b9e8260015f7497de7d8d77e4ab133199185ad5ce9d4fd9ba6796ffdf64ba6f2103d4fc69029347295672c4c018384f9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnsie.is

Filesize
495KB

MD5
f22cf26ac9fbc667663d2d92fc30abb1

SHA1
8f59b8e5984fd83030807616a7fe47b156615ee9

SHA256
feff1df7aadd11a04a3c06b830f5bd7e5b7ad3fec6e0c7065e60de567d32142f

SHA512
dd337e3f0304baf963569c70dae454bd9902d12fa4c91bbd04f8312beea6dba03afb5444948e2e63b833dea564adf63c0cb02505d1f51fd0763ce0fcf37a7bf4

Download Submit
\Users\Admin\AppData\Local\Temp\chgbio.exe

Filesize
332KB

MD5
173f1de107aefed5759513ecf4fee092

SHA1
cb4f5d546632f129c3cf2f2c4b22202dc31334f2

SHA256
f66e7192a1f20d41326664103f2c7c0a975c16919c864c652a128679bedbe6e9

SHA512
d42a7b9f2238a9192c2903457c66013d21d3334110898765d7b2d819f001d5630249660529c7c1695f9477630bc9cea71620f05d6ed744efccd511724080945e

Download Submit
\Users\Admin\AppData\Local\Temp\chgbio.exe

Filesize
332KB

MD5
173f1de107aefed5759513ecf4fee092

SHA1
cb4f5d546632f129c3cf2f2c4b22202dc31334f2

SHA256
f66e7192a1f20d41326664103f2c7c0a975c16919c864c652a128679bedbe6e9

SHA512
d42a7b9f2238a9192c2903457c66013d21d3334110898765d7b2d819f001d5630249660529c7c1695f9477630bc9cea71620f05d6ed744efccd511724080945e

Download Submit
memory/960-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/960-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing