remcos | 51253ebd215a9f0a66fe8a5aa65ae58885570f71437415fef49f8d2cd5232998

General

Target

unpaced.exe
Size

128KB
MD5

c352c288a3dd998102ee306ad1c26e10
SHA1

901a35d85e7bf23fe3e8956a61ddbc6ffe293efb
SHA256

51253ebd215a9f0a66fe8a5aa65ae58885570f71437415fef49f8d2cd5232998
SHA512

4d60fee342676b10da77c64e1869b1022e2d5948d9e58435e489c433bef909e82a363e384f5c85ad2532034bd783e848386f8991e5b1cd95cf0b346dc468228a
SSDEEP

3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUha:Ch1qn3IF9Obbj/a1cpcQjeHOzqhUh

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

RemoteHost

C2

bekleyen.myq-see.com:2424

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
VLC.exe
copy_folder
VLC
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-001UHE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

unpaced.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	unpaced.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

VLC.exe

pid process

3024 VLC.exe

pid	process
3024	VLC.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

unpaced.exeVLC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run\	unpaced.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\VLC\\VLC.exe\""	unpaced.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VLC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\VLC\\VLC.exe\""	VLC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

unpaced.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings unpaced.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

VLC.exe

pid process

3024 VLC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	unpaced.exe

pid	process
3024	VLC.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

unpaced.exeWScript.execmd.exe

description	pid	process	target process
PID 4400 wrote to memory of 1616	4400	unpaced.exe	WScript.exe
PID 4400 wrote to memory of 1616	4400	unpaced.exe	WScript.exe
PID 4400 wrote to memory of 1616	4400	unpaced.exe	WScript.exe
PID 1616 wrote to memory of 3876	1616	WScript.exe	cmd.exe
PID 1616 wrote to memory of 3876	1616	WScript.exe	cmd.exe
PID 1616 wrote to memory of 3876	1616	WScript.exe	cmd.exe
PID 3876 wrote to memory of 3024	3876	cmd.exe	VLC.exe
PID 3876 wrote to memory of 3024	3876	cmd.exe	VLC.exe
PID 3876 wrote to memory of 3024	3876	cmd.exe	VLC.exe

C:\Users\Admin\AppData\Local\Temp\unpaced.exe
"C:\Users\Admin\AppData\Local\Temp\unpaced.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\VLC\VLC.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Roaming\VLC\VLC.exe
C:\Users\Admin\AppData\Roaming\VLC\VLC.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
406B

MD5
854219cc98e5b2481c851446afe79605

SHA1
2423fce3defedf02f7cb8af374f92b78f4bd22f9

SHA256
db79feef63151ee105d5cb255d847df5f09b987db10b4015410a7db35bf76a7f

SHA512
32c16b720c94f800f4513a78be858d92d7fd85aa6cf450408e68cf78b64948f3d3b50e343e2c215234b5404de25be76619b2ac083dfe6b2d0a06bb6c4fedad80

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\VLC.exe
Filesize
128KB

MD5
c352c288a3dd998102ee306ad1c26e10

SHA1
901a35d85e7bf23fe3e8956a61ddbc6ffe293efb

SHA256
51253ebd215a9f0a66fe8a5aa65ae58885570f71437415fef49f8d2cd5232998

SHA512
4d60fee342676b10da77c64e1869b1022e2d5948d9e58435e489c433bef909e82a363e384f5c85ad2532034bd783e848386f8991e5b1cd95cf0b346dc468228a

Download Submit
C:\Users\Admin\AppData\Roaming\VLC\VLC.exe
Filesize
128KB

MD5
c352c288a3dd998102ee306ad1c26e10

SHA1
901a35d85e7bf23fe3e8956a61ddbc6ffe293efb

SHA256
51253ebd215a9f0a66fe8a5aa65ae58885570f71437415fef49f8d2cd5232998

SHA512
4d60fee342676b10da77c64e1869b1022e2d5948d9e58435e489c433bef909e82a363e384f5c85ad2532034bd783e848386f8991e5b1cd95cf0b346dc468228a

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
Filesize
74B

MD5
fcee623a5403212f5efddcfb70313edb

SHA1
9f718815228fe119573b2d843cba3f98ba660493

SHA256
64f8f818a5645603fac6706c9eff2049cb89c2ad96f986ec58881ad202e9cff9

SHA512
a5ad57d0b3af22edd132f73e9c7830305507c74a0dd04864bc357289443c106c569f5525166d5cedee0c4156eb23e87edea781d264a95a9ae65f691cb760a088

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads