remcos | 44a755ff3e39ab7289f79d9073d7658441fa45711ae53aaeffc86c587f4285f5

General

Target

6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe
Size

525KB
MD5

96640a4799fe532df64ebde0a914567c
SHA1

5b8978b368104eb3ed79bfbb473790b9f18d4a83
SHA256

6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f
SHA512

d827bb98f6965cb4ffe76cb45251273abf07fbaaf98e544970a87e37a58d339dd1b323211b965b07ae26e904a7d8990c375c28981c19535551ab001184a85409
SSDEEP

12288:KYTTJvONxFQl3Hlhv8RWSGl9bOKMRTBI4A2Cpvb+TviXl0gpxX:KYTTxObqlVhEPOVOKMRTQVb+TKXl0gp5

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:55898

185.65.134.167:55898

10.15.0.18:55898

180.214.238.18:55898

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-41LT1T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

dnzct.exednzct.exe

pid process

1464 dnzct.exe
1008 dnzct.exe

pid	process
1464	dnzct.exe
1008	dnzct.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dnzct.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvrbkgpyt = "C:\\Users\\Admin\\AppData\\Roaming\\ibwgclu\\pyienjscxhq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dnzct.exe\" C:\\Users\\Admin\\AppData\\Local\\"	dnzct.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dnzct.exe

description pid process target process

PID 1464 set thread context of 1008 1464 dnzct.exe dnzct.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dnzct.exe

pid process

1464 dnzct.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dnzct.exe

pid process

1008 dnzct.exe

description	pid	process	target process
PID 1464 set thread context of 1008	1464	dnzct.exe	dnzct.exe

pid	process
1464	dnzct.exe

pid	process
1008	dnzct.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exednzct.exe

description	pid	process	target process
PID 3812 wrote to memory of 1464	3812	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe	dnzct.exe
PID 3812 wrote to memory of 1464	3812	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe	dnzct.exe
PID 3812 wrote to memory of 1464	3812	6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe	dnzct.exe
PID 1464 wrote to memory of 1008	1464	dnzct.exe	dnzct.exe
PID 1464 wrote to memory of 1008	1464	dnzct.exe	dnzct.exe
PID 1464 wrote to memory of 1008	1464	dnzct.exe	dnzct.exe
PID 1464 wrote to memory of 1008	1464	dnzct.exe	dnzct.exe

C:\Users\Admin\AppData\Local\Temp\6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe
"C:\Users\Admin\AppData\Local\Temp\6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\dnzct.exe
"C:\Users\Admin\AppData\Local\Temp\dnzct.exe" C:\Users\Admin\AppData\Local\Temp\heltmtguyf.z
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\dnzct.exe
"C:\Users\Admin\AppData\Local\Temp\dnzct.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
6bfd99f59ff40f9a4d867bc06d99db86

SHA1
65f7f6db202b4cd613d6a16eaadcee14bab85dad

SHA256
6783a9f60b5ed4c7e9d231930b9b61d2fd497f80e389e0ca1089539c417b7fa2

SHA512
17035e3c6ea545cf4cbdb6caab3293099e71ef20a4b545e6690d6fc6db8316eedf97aacc882384c80451bf3f488d554bb59782e4f6bef1b5cab02a3cbc18a2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnzct.exe
Filesize
85KB

MD5
e392c200a94e1e654d6f9bfc018f113f

SHA1
efe92e8b1da6cd6a3738b7c116405212e1561d19

SHA256
f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616

SHA512
bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\heltmtguyf.z
Filesize
7KB

MD5
3dd2a19c4ba9e71e2bfdaf29b42f55de

SHA1
cfcb1050c7157ca02c80407bc69bdce3fdd76528

SHA256
ef6f26306ec3070342dfed59428da21eb2a4948ef010a126441d92aec38d1491

SHA512
11406303c30f6d8ec0586d9a91cad3f23d860cbe9c0cc9f3edae46916313d107f6d96c74b3c59527c2ca9d98c2364150e4d913e0d7ea2b34a92bc46365f40926

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgsxtlwhbcy.gge
Filesize
496KB

MD5
ca773195df4f76627b6e1ec87866f60e

SHA1
f6bf8ec80563827454da20721ec37c00aed6a718

SHA256
df31595ab522440e50a5f0db1207f795f4e38cd1294c22ccbf9dd6625f540b3f

SHA512
79aabb52af1b00ffc4b49beb1a5c88c99ff983b49b4e75cc7879398becf6d1faba466d8f9f4f48f7353b02f4fc1981ef5046939ee0dec8f0570546b1f8dc3205

Download Submit
memory/1008-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-154-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-170-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-179-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-183-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-184-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-187-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-192-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-194-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-195-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-197-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-200-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-203-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-206-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1008-209-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1464-140-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing