remcos | 7f957a63ff320cf43b53f9f8e7a11ffd327c12a63704cc7fdf11a9a1111ed8f7

General

Target

hesaphareketi-01.pdf.exe
Size

554KB
MD5

717445cae48a9d1f360cbb33ebf6f13e
SHA1

62babaeb13830077f391e02e5549338361e634c5
SHA256

7f957a63ff320cf43b53f9f8e7a11ffd327c12a63704cc7fdf11a9a1111ed8f7
SHA512

098274b28f09b03c21dacc37ec2b82b778e3b896bc8bdb9b424c3c9a2bff3d6de054f548416585e3301face14e98ceaabe0fedcfa005123db969171b2aa81321
SSDEEP

12288:+YbZtLo6pUwdDF0jDqRqctH1UO79pwRpkF0gaC:+YbZVxUwdDF0fQdH1xhpwO0gh

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

report1.duckdns.org:5890

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-O5GSXS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
900	axkazhdzmh.exe
796	axkazhdzmh.exe

Loads dropped DLL 3 IoCs

pid	Process
828	hesaphareketi-01.pdf.exe
828	hesaphareketi-01.pdf.exe
900	axkazhdzmh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwscotvemnk = "C:\\Users\\Admin\\AppData\\Roaming\\rbaqwntxctptt\\hxwsf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\axkazhdzmh.exe\" C:\\Users\\Admin\\AppData\\L"	axkazhdzmh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 796	900	axkazhdzmh.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
900	axkazhdzmh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
796	axkazhdzmh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 900	828	hesaphareketi-01.pdf.exe	27
PID 828 wrote to memory of 900	828	hesaphareketi-01.pdf.exe	27
PID 828 wrote to memory of 900	828	hesaphareketi-01.pdf.exe	27
PID 828 wrote to memory of 900	828	hesaphareketi-01.pdf.exe	27
PID 900 wrote to memory of 796	900	axkazhdzmh.exe	28
PID 900 wrote to memory of 796	900	axkazhdzmh.exe	28
PID 900 wrote to memory of 796	900	axkazhdzmh.exe	28
PID 900 wrote to memory of 796	900	axkazhdzmh.exe	28
PID 900 wrote to memory of 796	900	axkazhdzmh.exe	28

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe
  "C:\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe" C:\Users\Admin\AppData\Local\Temp\hqixdlt.dkz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe
    "C:\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe

Filesize
122KB

MD5
ebc1009a8ef6702a56552c77c9bea7df

SHA1
415e25c7041d99ba6ded4ca521377f79df0af639

SHA256
b918388d1c6bfa1e29206d960f5fc187619acb3036f04ff8352ea064a7ed885c

SHA512
a060d0e16ad6ef4f46af18c2097b4decea3ca0d65bf171395acdc21bd4fbd0bc276174777914d840a10714db6a4fc49ba10ad7c97f9ec1a8ea513bf50c1159b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe

Filesize
122KB

MD5
ebc1009a8ef6702a56552c77c9bea7df

SHA1
415e25c7041d99ba6ded4ca521377f79df0af639

SHA256
b918388d1c6bfa1e29206d960f5fc187619acb3036f04ff8352ea064a7ed885c

SHA512
a060d0e16ad6ef4f46af18c2097b4decea3ca0d65bf171395acdc21bd4fbd0bc276174777914d840a10714db6a4fc49ba10ad7c97f9ec1a8ea513bf50c1159b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe

Filesize
122KB

MD5
ebc1009a8ef6702a56552c77c9bea7df

SHA1
415e25c7041d99ba6ded4ca521377f79df0af639

SHA256
b918388d1c6bfa1e29206d960f5fc187619acb3036f04ff8352ea064a7ed885c

SHA512
a060d0e16ad6ef4f46af18c2097b4decea3ca0d65bf171395acdc21bd4fbd0bc276174777914d840a10714db6a4fc49ba10ad7c97f9ec1a8ea513bf50c1159b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqixdlt.dkz

Filesize
7KB

MD5
1856411f5a587f216891a6c244fddca9

SHA1
abfd7f49c98fb73a0032903804a3248396e02098

SHA256
08f232c68f1bca3f8bbf25ae18ff847e6f18b706a57134d7e5061a7b2cac7756

SHA512
387b078c8f951c5df65053ce3faee17b0e3b3e4da6e0de28f2db859faac3473b67c33c7645c88010af95a0216f4a917a397439b855a6e5422602aa1d3251ca71

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfecneztrjd.rt

Filesize
495KB

MD5
dd0e71b945934e5d65b2285575e682ab

SHA1
260220eef6b0aaa648548b31c7adcbe3089e6a20

SHA256
aff7b6c4b02d3736f6ea90c3cafaf787849f828cd88ab3efe030cb8a5673f7c1

SHA512
0df888ef718bc68cb1a513bc895db6b4c8d11f36dae730724109b04a6b5ed1e291b88bbe2e6a10be8a61604013ba2d3903f88374be82779f56e7eed73073f477

Download Submit
\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe

Filesize
122KB

MD5
ebc1009a8ef6702a56552c77c9bea7df

SHA1
415e25c7041d99ba6ded4ca521377f79df0af639

SHA256
b918388d1c6bfa1e29206d960f5fc187619acb3036f04ff8352ea064a7ed885c

SHA512
a060d0e16ad6ef4f46af18c2097b4decea3ca0d65bf171395acdc21bd4fbd0bc276174777914d840a10714db6a4fc49ba10ad7c97f9ec1a8ea513bf50c1159b8

Download Submit
\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe

Filesize
122KB

MD5
ebc1009a8ef6702a56552c77c9bea7df

SHA1
415e25c7041d99ba6ded4ca521377f79df0af639

SHA256
b918388d1c6bfa1e29206d960f5fc187619acb3036f04ff8352ea064a7ed885c

SHA512
a060d0e16ad6ef4f46af18c2097b4decea3ca0d65bf171395acdc21bd4fbd0bc276174777914d840a10714db6a4fc49ba10ad7c97f9ec1a8ea513bf50c1159b8

Download Submit
\Users\Admin\AppData\Local\Temp\axkazhdzmh.exe

Filesize
122KB

MD5
ebc1009a8ef6702a56552c77c9bea7df

SHA1
415e25c7041d99ba6ded4ca521377f79df0af639

SHA256
b918388d1c6bfa1e29206d960f5fc187619acb3036f04ff8352ea064a7ed885c

SHA512
a060d0e16ad6ef4f46af18c2097b4decea3ca0d65bf171395acdc21bd4fbd0bc276174777914d840a10714db6a4fc49ba10ad7c97f9ec1a8ea513bf50c1159b8

Download Submit
memory/796-64-0x0000000000432E48-mapping.dmp

Download
memory/796-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/796-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/828-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/900-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing