remcos | 7988fe75eb1abeac99917732c69e0de5e96137b5a8f471b4c8af2ef378505312

General

Target

tmp.exe
Size

1.3MB
MD5

d8e622d9974ee940831e507fac715c94
SHA1

7f6b6850c5146c6942148eae317387e5c85342ea
SHA256

7988fe75eb1abeac99917732c69e0de5e96137b5a8f471b4c8af2ef378505312
SHA512

6c5bd4dd4bfbb4c75bf392141446496473cf035ebfe6b70bdfe0278ec67ffbffdc4b9ba937ca80d5ef7ed80fa8ce6ca3ebd4e02821f155580377b503ed17a3d6
SSDEEP

24576:V5F02vDR3+R4znIM4PkgW6REfPSt6BPoUi17+9QloSN3TEt8dni:fF/9RnIIgWBg+AUi1S9QCSNDEin

Score

10^/10

remcos awele-host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Awele-Host

C2

gdyhjjdhbvxgsfe.gotdns.ch:2718

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
qos.exe
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-VC3F2C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Jm
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

qos.exeqos.exe

pid process

4640 qos.exe
4884 qos.exe

pid	process
4640	qos.exe
4884	qos.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exeqos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jm = "\"C:\\Users\\Admin\\AppData\\Roaming\\qos.exe\""	tmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Jm = "\"C:\\Users\\Admin\\AppData\\Roaming\\qos.exe\""	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jm = "\"C:\\Users\\Admin\\AppData\\Roaming\\qos.exe\""	qos.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	qos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Jm = "\"C:\\Users\\Admin\\AppData\\Roaming\\qos.exe\""	qos.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tmp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.exeqos.exe

description pid process target process

PID 2156 set thread context of 4480 2156 tmp.exe tmp.exe
PID 4640 set thread context of 4884 4640 qos.exe qos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

tmp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings tmp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

tmp.exeqos.exe

pid process

2156 tmp.exe
2156 tmp.exe
2156 tmp.exe
4640 qos.exe
4640 qos.exe
4640 qos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exeqos.exe

description pid process

Token: SeDebugPrivilege 2156 tmp.exe
Token: SeDebugPrivilege 4640 qos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

qos.exe

pid process

4884 qos.exe

description	pid	process	target process
PID 2156 set thread context of 4480	2156	tmp.exe	tmp.exe
PID 4640 set thread context of 4884	4640	qos.exe	qos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	tmp.exe

pid	process
2156	tmp.exe
2156	tmp.exe
2156	tmp.exe
4640	qos.exe
4640	qos.exe
4640	qos.exe

description	pid	process
Token: SeDebugPrivilege	2156	tmp.exe
Token: SeDebugPrivilege	4640	qos.exe

pid	process
4884	qos.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

tmp.exetmp.exeWScript.execmd.exeqos.exe

description	pid	process	target process
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 4480	2156	tmp.exe	tmp.exe
PID 4480 wrote to memory of 4528	4480	tmp.exe	WScript.exe
PID 4480 wrote to memory of 4528	4480	tmp.exe	WScript.exe
PID 4480 wrote to memory of 4528	4480	tmp.exe	WScript.exe
PID 4528 wrote to memory of 4876	4528	WScript.exe	cmd.exe
PID 4528 wrote to memory of 4876	4528	WScript.exe	cmd.exe
PID 4528 wrote to memory of 4876	4528	WScript.exe	cmd.exe
PID 4876 wrote to memory of 4640	4876	cmd.exe	qos.exe
PID 4876 wrote to memory of 4640	4876	cmd.exe	qos.exe
PID 4876 wrote to memory of 4640	4876	cmd.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe
PID 4640 wrote to memory of 4884	4640	qos.exe	qos.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\arvuijaizobunsvneavwwae.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\qos.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Users\Admin\AppData\Roaming\qos.exe
        
        C:\Users\Admin\AppData\Roaming\qos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Users\Admin\AppData\Roaming\qos.exe
        
        "C:\Users\Admin\AppData\Roaming\qos.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\arvuijaizobunsvneavwwae.vbs

Filesize
398B

MD5
8e2a1197a839a92a232ec1bc06a9cf69

SHA1
a501c184e874983afccbde838f3260dfb7d62527

SHA256
e10a418a00a6de27cf1c4b5e46f7543c290afc801835efa99b633ee3d75f7571

SHA512
26a35fa937a7d63f120b40331ed6370832d690d49b5cc0aa74350f9a7eaefa9f6433df6647ef5974a5de3ac055841166cf5543eb4002d831ecac05c3c896eaaf

Download Submit
C:\Users\Admin\AppData\Roaming\qos.exe

Filesize
1.3MB

MD5
d8e622d9974ee940831e507fac715c94

SHA1
7f6b6850c5146c6942148eae317387e5c85342ea

SHA256
7988fe75eb1abeac99917732c69e0de5e96137b5a8f471b4c8af2ef378505312

SHA512
6c5bd4dd4bfbb4c75bf392141446496473cf035ebfe6b70bdfe0278ec67ffbffdc4b9ba937ca80d5ef7ed80fa8ce6ca3ebd4e02821f155580377b503ed17a3d6

Download Submit
C:\Users\Admin\AppData\Roaming\qos.exe

Filesize
1.3MB

MD5
d8e622d9974ee940831e507fac715c94

SHA1
7f6b6850c5146c6942148eae317387e5c85342ea

SHA256
7988fe75eb1abeac99917732c69e0de5e96137b5a8f471b4c8af2ef378505312

SHA512
6c5bd4dd4bfbb4c75bf392141446496473cf035ebfe6b70bdfe0278ec67ffbffdc4b9ba937ca80d5ef7ed80fa8ce6ca3ebd4e02821f155580377b503ed17a3d6

Download Submit
C:\Users\Admin\AppData\Roaming\qos.exe

Filesize
1.3MB

MD5
d8e622d9974ee940831e507fac715c94

SHA1
7f6b6850c5146c6942148eae317387e5c85342ea

SHA256
7988fe75eb1abeac99917732c69e0de5e96137b5a8f471b4c8af2ef378505312

SHA512
6c5bd4dd4bfbb4c75bf392141446496473cf035ebfe6b70bdfe0278ec67ffbffdc4b9ba937ca80d5ef7ed80fa8ce6ca3ebd4e02821f155580377b503ed17a3d6

Download Submit
memory/2156-139-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/2156-137-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/2156-133-0x0000000000CF0000-0x0000000000E3A000-memory.dmp

Filesize
1.3MB

Download
memory/2156-140-0x00000000087E0000-0x000000000887C000-memory.dmp

Filesize
624KB

Download
memory/2156-134-0x0000000006040000-0x00000000065E4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-135-0x0000000005B90000-0x0000000005C22000-memory.dmp

Filesize
584KB

Download
memory/2156-138-0x0000000008530000-0x00000000086D6000-memory.dmp

Filesize
1.6MB

Download
memory/2156-136-0x0000000005C30000-0x0000000005C3A000-memory.dmp

Filesize
40KB

Download
memory/4480-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-155-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4640-156-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4884-159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4884-161-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4884-162-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4884-164-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4884-165-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4884-166-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4884-169-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads