remcos | affea1453f9f47d6001811fd802e604e46fe94ecdb32da84ca21a3ed5db9b308

General

Target

08186cde92790a745f1e6fbf706fc800.exe
Size

534KB
MD5

08186cde92790a745f1e6fbf706fc800
SHA1

0addf8cf95aeca7e2a89705214a524a3510cd6e8
SHA256

affea1453f9f47d6001811fd802e604e46fe94ecdb32da84ca21a3ed5db9b308
SHA512

336f632356dde294f862f92346895920864d854af368662370fbf4d7f8a24624030cd7bf8ea5ff5edae845f2894c413126c81df634f38ce643ff5991ba6de7f0
SSDEEP

12288:gYLPT//O1jIugNmGwddIqFIIaYYXtdVgcyAU8VkSQ/:gYL7//ngGwd8YyzV/yJ8a

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

katruda.duckdns.org:1992

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-X13KDJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
784	fkfoiuttz.exe
3044	fkfoiuttz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktdyiqmv = "C:\\Users\\Admin\\AppData\\Roaming\\mrbwgcluq\\ajfo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fkfoiuttz.exe\" C:\\Users\\Admin\\AppData\\Local\\T"	fkfoiuttz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 3044	784	fkfoiuttz.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
784	fkfoiuttz.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3044	fkfoiuttz.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3044	fkfoiuttz.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 784	3516	08186cde92790a745f1e6fbf706fc800.exe	84
PID 3516 wrote to memory of 784	3516	08186cde92790a745f1e6fbf706fc800.exe	84
PID 3516 wrote to memory of 784	3516	08186cde92790a745f1e6fbf706fc800.exe	84
PID 784 wrote to memory of 3044	784	fkfoiuttz.exe	85
PID 784 wrote to memory of 3044	784	fkfoiuttz.exe	85
PID 784 wrote to memory of 3044	784	fkfoiuttz.exe	85
PID 784 wrote to memory of 3044	784	fkfoiuttz.exe	85

C:\Users\Admin\AppData\Local\Temp\08186cde92790a745f1e6fbf706fc800.exe
"C:\Users\Admin\AppData\Local\Temp\08186cde92790a745f1e6fbf706fc800.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\fkfoiuttz.exe
  "C:\Users\Admin\AppData\Local\Temp\fkfoiuttz.exe" C:\Users\Admin\AppData\Local\Temp\lnfdr.x
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Users\Admin\AppData\Local\Temp\fkfoiuttz.exe
    "C:\Users\Admin\AppData\Local\Temp\fkfoiuttz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fkfoiuttz.exe

Filesize
85KB

MD5
94d48df03ed7ae332cd9db6dd067e53d

SHA1
3219f686d4ab99bc8d8bbda247309c71b60496cc

SHA256
c7c8c0289c0d9a44f70c9347dbe9bf5207af98f051616238aa8c7b11cdd084b6

SHA512
036d340114d2e16075f0892ba19c12be7d097c77aa05e4f7217aea0df4c87141cbe50f17d4e735306ef7c876cbc912fc0d5dd4b7e18c43d39ac41d48c2a0afd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkfoiuttz.exe

Filesize
85KB

MD5
94d48df03ed7ae332cd9db6dd067e53d

SHA1
3219f686d4ab99bc8d8bbda247309c71b60496cc

SHA256
c7c8c0289c0d9a44f70c9347dbe9bf5207af98f051616238aa8c7b11cdd084b6

SHA512
036d340114d2e16075f0892ba19c12be7d097c77aa05e4f7217aea0df4c87141cbe50f17d4e735306ef7c876cbc912fc0d5dd4b7e18c43d39ac41d48c2a0afd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkfoiuttz.exe

Filesize
85KB

MD5
94d48df03ed7ae332cd9db6dd067e53d

SHA1
3219f686d4ab99bc8d8bbda247309c71b60496cc

SHA256
c7c8c0289c0d9a44f70c9347dbe9bf5207af98f051616238aa8c7b11cdd084b6

SHA512
036d340114d2e16075f0892ba19c12be7d097c77aa05e4f7217aea0df4c87141cbe50f17d4e735306ef7c876cbc912fc0d5dd4b7e18c43d39ac41d48c2a0afd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnfdr.x

Filesize
7KB

MD5
33a7472ed0b381860ff4adcd02eb750a

SHA1
88c75f57f025478163c55f54d5cd87181c990338

SHA256
c80092ebcd4f62b055961e131aca20cd1c59798b6b40545c19560bc159128df7

SHA512
c6514ce93db38f98567039db5af9b18b7ae49bfff6227777b79b8e58c74f7982e7510351dd2f58e4047335faef35f326b7bf4cfeb2036503ac44259ac1785deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfzgtfkki.txd

Filesize
496KB

MD5
19dcf5f2bf834ac9965ebff8a5b61653

SHA1
0c7ab919fb2baf0d0358c04c5b4af6685bedfdc7

SHA256
37e040e667920eb0fd9c46f15abb1a920e4a21f9c5ee702df60ebc4d772e4b55

SHA512
8b96fe6fb9db944b160e3fccb3ab860abb9915c03818e4a62e9e87dfdb0341be9772033938c367601f095ef8e49fb4bbf5caebd8b6efd81b2af144c53a175d14

Download Submit
memory/784-160-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/784-144-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/3044-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-163-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-156-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-170-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-178-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-179-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing