remcos | 5777cbd8b980a196f77d66fa90a12f511d12aaeef135d43c4f9b6a186ce6dff4

General

Target

142f5c7c68db71bf5d24a65451b1f506.exe
Size

256KB
MD5

142f5c7c68db71bf5d24a65451b1f506
SHA1

16e4fc6f507d59f90a83c8bdaf833e527d70aa6c
SHA256

5777cbd8b980a196f77d66fa90a12f511d12aaeef135d43c4f9b6a186ce6dff4
SHA512

3ac0e352e542a186f07d41a38fc88495515cf23236b9108d12745322c5d39cd6331fc9df91df6c04e1bf1d04ec5f695a2112aead7abcbab6fe99448ba04b9943
SSDEEP

6144:+hzOv2fM13jsIFSiNT7P/PD7cYALuUqXOcN4Wck:+6sM9oIoi11AahYWck

Score

10^/10

remcos new march persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

New March

C2

elastolut.duckdns.org:47855

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows Audio Play.exe
copy_folder
Microsoft Media Corp
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Microsoft Sound EndPoints
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	142f5c7c68db71bf5d24a65451b1f506.exe

Executes dropped EXE 1 IoCs

pid	Process
3992	Windows Audio Play.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run\	142f5c7c68db71bf5d24a65451b1f506.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound EndPoints = "\"C:\\Windows\\Microsoft Media Corp\\Windows Audio Play.exe\""	142f5c7c68db71bf5d24a65451b1f506.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows Audio Play.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound EndPoints = "\"C:\\Windows\\Microsoft Media Corp\\Windows Audio Play.exe\""	Windows Audio Play.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3992 set thread context of 4296	3992	Windows Audio Play.exe	90

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft Media Corp\Windows Audio Play.exe	142f5c7c68db71bf5d24a65451b1f506.exe
File opened for modification	C:\Windows\Microsoft Media Corp\Windows Audio Play.exe	142f5c7c68db71bf5d24a65451b1f506.exe
File opened for modification	C:\Windows\Microsoft Media Corp	142f5c7c68db71bf5d24a65451b1f506.exe
File opened for modification	C:\Windows\Windows Display\logs.dat	iexplore.exe
File created	C:\Windows\Windows Display\logs.dat	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3544	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4296	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4296	iexplore.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3472	3204	142f5c7c68db71bf5d24a65451b1f506.exe	86
PID 3204 wrote to memory of 3472	3204	142f5c7c68db71bf5d24a65451b1f506.exe	86
PID 3204 wrote to memory of 3472	3204	142f5c7c68db71bf5d24a65451b1f506.exe	86
PID 3472 wrote to memory of 3544	3472	cmd.exe	88
PID 3472 wrote to memory of 3544	3472	cmd.exe	88
PID 3472 wrote to memory of 3544	3472	cmd.exe	88
PID 3472 wrote to memory of 3992	3472	cmd.exe	89
PID 3472 wrote to memory of 3992	3472	cmd.exe	89
PID 3472 wrote to memory of 3992	3472	cmd.exe	89
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90
PID 3992 wrote to memory of 4296	3992	Windows Audio Play.exe	90

C:\Users\Admin\AppData\Local\Temp\142f5c7c68db71bf5d24a65451b1f506.exe
"C:\Users\Admin\AppData\Local\Temp\142f5c7c68db71bf5d24a65451b1f506.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:3544
- - C:\Windows\Microsoft Media Corp\Windows Audio Play.exe
    "C:\Windows\Microsoft Media Corp\Windows Audio Play.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
105B

MD5
b1a71fb7996ce2451aacdaf27ab93c6f

SHA1
992c9104830883ba05fd894fb465029e1c0646be

SHA256
da679739dda66b23fe85fb4a9105a0d56c47ab0c856546c288268c9dbf974114

SHA512
fa67514c80c73f39e8db6a183119f9fb2699fbfacb3057d2f89306b95f313a04df3ab96033334589d073989e01da3246eef9b7a542045ff503bd3c7ed2159d2e

Download Submit
C:\Windows\Microsoft Media Corp\Windows Audio Play.exe

Filesize
256KB

MD5
142f5c7c68db71bf5d24a65451b1f506

SHA1
16e4fc6f507d59f90a83c8bdaf833e527d70aa6c

SHA256
5777cbd8b980a196f77d66fa90a12f511d12aaeef135d43c4f9b6a186ce6dff4

SHA512
3ac0e352e542a186f07d41a38fc88495515cf23236b9108d12745322c5d39cd6331fc9df91df6c04e1bf1d04ec5f695a2112aead7abcbab6fe99448ba04b9943

Download Submit
C:\Windows\Microsoft Media Corp\Windows Audio Play.exe

Filesize
256KB

MD5
142f5c7c68db71bf5d24a65451b1f506

SHA1
16e4fc6f507d59f90a83c8bdaf833e527d70aa6c

SHA256
5777cbd8b980a196f77d66fa90a12f511d12aaeef135d43c4f9b6a186ce6dff4

SHA512
3ac0e352e542a186f07d41a38fc88495515cf23236b9108d12745322c5d39cd6331fc9df91df6c04e1bf1d04ec5f695a2112aead7abcbab6fe99448ba04b9943

Download Submit
memory/4296-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing