remcos | 6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f

Analysis

max time kernel
148s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-03-2023 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Halkbank_Ekstre_01.03 (1).exe
Size

525KB
MD5

96640a4799fe532df64ebde0a914567c
SHA1

5b8978b368104eb3ed79bfbb473790b9f18d4a83
SHA256

6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f
SHA512

d827bb98f6965cb4ffe76cb45251273abf07fbaaf98e544970a87e37a58d339dd1b323211b965b07ae26e904a7d8990c375c28981c19535551ab001184a85409
SSDEEP

12288:KYTTJvONxFQl3Hlhv8RWSGl9bOKMRTBI4A2Cpvb+TviXl0gpxX:KYTTxObqlVhEPOVOKMRTQVb+TKXl0gp5

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:55898

185.65.134.167:55898

10.15.0.18:55898

180.214.238.18:55898

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-41LT1T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

dnzct.exednzct.exe

pid process

2024 dnzct.exe
1692 dnzct.exe
Loads dropped DLL 3 IoCs

Processes:

Halkbank_Ekstre_01.03 (1).exednzct.exe

pid process

816 Halkbank_Ekstre_01.03 (1).exe
816 Halkbank_Ekstre_01.03 (1).exe
2024 dnzct.exe

pid	process
2024	dnzct.exe
1692	dnzct.exe

pid	process
816	Halkbank_Ekstre_01.03 (1).exe
816	Halkbank_Ekstre_01.03 (1).exe
2024	dnzct.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dnzct.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\mvrbkgpyt = "C:\\Users\\Admin\\AppData\\Roaming\\ibwgclu\\pyienjscxhq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dnzct.exe\" C:\\Users\\Admin\\AppData\\Local\\"	dnzct.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dnzct.exe

description pid process target process

PID 2024 set thread context of 1692 2024 dnzct.exe dnzct.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dnzct.exe

pid process

2024 dnzct.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dnzct.exe

pid process

1692 dnzct.exe

description	pid	process	target process
PID 2024 set thread context of 1692	2024	dnzct.exe	dnzct.exe

pid	process
2024	dnzct.exe

pid	process
1692	dnzct.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Halkbank_Ekstre_01.03 (1).exednzct.exe

description	pid	process	target process
PID 816 wrote to memory of 2024	816	Halkbank_Ekstre_01.03 (1).exe	dnzct.exe
PID 816 wrote to memory of 2024	816	Halkbank_Ekstre_01.03 (1).exe	dnzct.exe
PID 816 wrote to memory of 2024	816	Halkbank_Ekstre_01.03 (1).exe	dnzct.exe
PID 816 wrote to memory of 2024	816	Halkbank_Ekstre_01.03 (1).exe	dnzct.exe
PID 2024 wrote to memory of 1692	2024	dnzct.exe	dnzct.exe
PID 2024 wrote to memory of 1692	2024	dnzct.exe	dnzct.exe
PID 2024 wrote to memory of 1692	2024	dnzct.exe	dnzct.exe
PID 2024 wrote to memory of 1692	2024	dnzct.exe	dnzct.exe
PID 2024 wrote to memory of 1692	2024	dnzct.exe	dnzct.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_01.03 (1).exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_01.03 (1).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\dnzct.exe
"C:\Users\Admin\AppData\Local\Temp\dnzct.exe" C:\Users\Admin\AppData\Local\Temp\heltmtguyf.z
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\dnzct.exe
"C:\Users\Admin\AppData\Local\Temp\dnzct.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
ee905f6e35ad6908b4e297558ceae797

SHA1
c7edc2bb177e35abe946bcaf8c20c3f20f6106b6

SHA256
af051e6fb06dfdd56c25b25d6c96a8f64bfc2ca34eb1351949e720042dc79b6d

SHA512
6cf722d00aeb4e2ff291a8cf0fd8748dfa3761497fed9ef4c94045e7e4e9ba508515ff1745e3d842bb12854884261d4fa9dd028809d1dcf6efd8ba2c35f38783

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\heltmtguyf.z
Filesize
7KB

MD5
3dd2a19c4ba9e71e2bfdaf29b42f55de

SHA1
cfcb1050c7157ca02c80407bc69bdce3fdd76528

SHA256
ef6f26306ec3070342dfed59428da21eb2a4948ef010a126441d92aec38d1491

SHA512
11406303c30f6d8ec0586d9a91cad3f23d860cbe9c0cc9f3edae46916313d107f6d96c74b3c59527c2ca9d98c2364150e4d913e0d7ea2b34a92bc46365f40926

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgsxtlwhbcy.gge
Filesize
496KB

MD5
ca773195df4f76627b6e1ec87866f60e

SHA1
f6bf8ec80563827454da20721ec37c00aed6a718

SHA256
df31595ab522440e50a5f0db1207f795f4e38cd1294c22ccbf9dd6625f540b3f

SHA512
79aabb52af1b00ffc4b49beb1a5c88c99ff983b49b4e75cc7879398becf6d1faba466d8f9f4f48f7353b02f4fc1981ef5046939ee0dec8f0570546b1f8dc3205

Download Submit
\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
memory/1692-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-110-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-115-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download