remcos | 0ca246e6325bfa1bd4aa4f743a259d4c3553a316a44665a5a21d5d5132b893c0

Resubmissions

10-10-2023 23:09

231010-25ft4aah69 10

26-03-2023 02:21

230326-cs245ahc2t 10

19-01-2023 16:02

230119-tgvpcage62 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tloader (1).exe
Size

1.5MB
MD5

839e1f8705362603a1dcbb5adfe6d6e1
SHA1

9a96746b27945440c362402b161daac34ce00a84
SHA256

0ca246e6325bfa1bd4aa4f743a259d4c3553a316a44665a5a21d5d5132b893c0
SHA512

1e1a294c21f22f8c1b1ed94cd30a3316f4dee2371ad3dc9b1dd1026955b87fdbd34b6295322a653b9fe6e6f3283b3f7bb5fe56c942e51d0a2b0983f8adda42e5
SSDEEP

24576:/pBtKkpXwKPHp0EVWnqMKMklXZ8N7Y5jQoLOnrq/aCVXcA9:9TdvMKMklXSN7YDOrqyCVXv9

Score

10^/10

remcos thorami-v5 rat

Malware Config

Extracted

Family

remcos

Botnet

thorami-v5

rlbotz.duckdns.org:2404

80.76.51.46:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
update.exe
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
furog.dat
keylog_flag
false
mouse_option
false
mutex
Rvhugures-AM08A0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
nupdat
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tloader (1).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	tloader (1).exe

Executes dropped EXE 1 IoCs

Processes:

fon gehewico.exe

pid process

3716 fon gehewico.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3204 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1500 PING.EXE

pid	process
3716	fon gehewico.exe

pid	process
3204	schtasks.exe

pid	process
1500	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

tloader (1).exefon gehewico.exe

pid	process
5012	tloader (1).exe
5012	tloader (1).exe
5012	tloader (1).exe
5012	tloader (1).exe
5012	tloader (1).exe
5012	tloader (1).exe
5012	tloader (1).exe
5012	tloader (1).exe
5012	tloader (1).exe
5012	tloader (1).exe
3716	fon gehewico.exe
3716	fon gehewico.exe
3716	fon gehewico.exe
3716	fon gehewico.exe
3716	fon gehewico.exe
3716	fon gehewico.exe
3716	fon gehewico.exe
3716	fon gehewico.exe
3716	fon gehewico.exe
3716	fon gehewico.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fon gehewico.exe

pid process

3716 fon gehewico.exe

pid	process
3716	fon gehewico.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tloader (1).execmd.exe

description	pid	process	target process
PID 5012 wrote to memory of 3204	5012	tloader (1).exe	schtasks.exe
PID 5012 wrote to memory of 3204	5012	tloader (1).exe	schtasks.exe
PID 5012 wrote to memory of 3204	5012	tloader (1).exe	schtasks.exe
PID 5012 wrote to memory of 3716	5012	tloader (1).exe	fon gehewico.exe
PID 5012 wrote to memory of 3716	5012	tloader (1).exe	fon gehewico.exe
PID 5012 wrote to memory of 3716	5012	tloader (1).exe	fon gehewico.exe
PID 5012 wrote to memory of 3332	5012	tloader (1).exe	cmd.exe
PID 5012 wrote to memory of 3332	5012	tloader (1).exe	cmd.exe
PID 5012 wrote to memory of 3332	5012	tloader (1).exe	cmd.exe
PID 3332 wrote to memory of 3316	3332	cmd.exe	chcp.com
PID 3332 wrote to memory of 3316	3332	cmd.exe	chcp.com
PID 3332 wrote to memory of 3316	3332	cmd.exe	chcp.com
PID 3332 wrote to memory of 1500	3332	cmd.exe	PING.EXE
PID 3332 wrote to memory of 1500	3332	cmd.exe	PING.EXE
PID 3332 wrote to memory of 1500	3332	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\tloader (1).exe
"C:\Users\Admin\AppData\Local\Temp\tloader (1).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Nosix kem pepij\fon gehewico.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3204
- C:\Users\Admin\Nosix kem pepij\fon gehewico.exe
  "C:\Users\Admin\Nosix kem pepij\fon gehewico.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\tloader (1).exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Nosix kem pepij\fon gehewico.exe

Filesize
740.9MB

MD5
ebbc56149ff171a686c0d309a56ff663

SHA1
d996578cf05fec9c3ffc01ef81542169e25b6b71

SHA256
453f14d70bf1766ac42f156f1c790ffa3be46c9bdc08bcbe1d0135fe696f3216

SHA512
3d391fcf020a2d36066a23f978c5460554fd85f2e2f499b9e9bb53ae0b2cec8453b6138e8c11763a4cab886b482b8623125abc10f52e90d7090d3573b0fd17f8

Download Submit
C:\Users\Admin\Nosix kem pepij\fon gehewico.exe

Filesize
707.6MB

MD5
fd30775feaebde53ecae86481410ddf0

SHA1
f19ada97b9007521ac4e2d4169a7a3f7f66e2d19

SHA256
b487b5b9e035c824a8b97388bdb6e348b1ed3ceee5a97b4f3acbf30bd17662c5

SHA512
09a089e484c6e336258ff3f4fdd5b802e7b9970eb53ee22e0fcdf2329b816891ef5e0cfb20ea929fdba4656a591e464e5c60c0f45b1e8c98e7e8a5d6f2a899c3

Download Submit
C:\Users\Admin\Nosix kem pepij\fon gehewico.exe

Filesize
699.1MB

MD5
5dfcc6bbf26fcfd0d3f88658dcaf1ec9

SHA1
1d16280edd85386b0b57c0d8ac04848a82545555

SHA256
0ff8843a9b1fa3e963bb3da4417d2dd8a155b87d8b512b52c08850bb2997af33

SHA512
7ca0f5c5d84052236e36b7512c3298f8b279cc743f15dd70b80be0aede74618d9a486c52129ad39a914f8678a2ceef6cb3ff9bf13f076102fd4d860af28d2b77

Download Submit
memory/3716-145-0x0000000002360000-0x00000000024D0000-memory.dmp

Filesize
1.4MB

Download
memory/3716-146-0x000000000B1E0000-0x000000000B732000-memory.dmp

Filesize
5.3MB

Download
memory/3716-147-0x0000000002360000-0x00000000024D0000-memory.dmp

Filesize
1.4MB

Download
memory/3716-148-0x000000000B150000-0x000000000B1CF000-memory.dmp

Filesize
508KB

Download
memory/5012-133-0x0000000002420000-0x0000000002590000-memory.dmp

Filesize
1.4MB

Download
memory/5012-140-0x0000000002420000-0x0000000002590000-memory.dmp

Filesize
1.4MB

Download
memory/5012-144-0x0000000002420000-0x0000000002590000-memory.dmp

Filesize
1.4MB

Download