remcos | 6a43f8d13e49fac946dfcd323542f4f77a43c813c9d52a8273d5421f1049fa9e

General

Target

FedEx 0037811_UK_2023995286_pdf.exe
Size

475KB
MD5

d2f1d062bc9a850e6cfdf6e3c20c5bd2
SHA1

0365f94938094a7a2b5831080871cb077ea64585
SHA256

6a43f8d13e49fac946dfcd323542f4f77a43c813c9d52a8273d5421f1049fa9e
SHA512

86de1a34f4a9e9d9d0c117df0a9c5131eb3a3058a2deee18a23020c2875dfc10b1671f5fb14fcc842a54858b0f45564729e9cf1a3d5eef0506b4c1a5f5b5adb6
SSDEEP

12288:vY8QzGB54XUqsEeRYThzlP7G4J48ZyO4I2CqM:vY8oa6kueElyCgO4Ih

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

64.112.85.218:4888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5VAOMA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 1 IoCs

pid	Process
1400	FedEx 0037811_UK_2023995286_pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdmirnwgcluq = "C:\\Users\\Admin\\AppData\\Roaming\\rwgplupyien\\wscxhqmvfbkgpy.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FedEx 0037811_UK_2023995286_pdf.e"	FedEx 0037811_UK_2023995286_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 588	1400	FedEx 0037811_UK_2023995286_pdf.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1400	FedEx 0037811_UK_2023995286_pdf.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 588	1400	FedEx 0037811_UK_2023995286_pdf.exe	28
PID 1400 wrote to memory of 588	1400	FedEx 0037811_UK_2023995286_pdf.exe	28
PID 1400 wrote to memory of 588	1400	FedEx 0037811_UK_2023995286_pdf.exe	28
PID 1400 wrote to memory of 588	1400	FedEx 0037811_UK_2023995286_pdf.exe	28
PID 1400 wrote to memory of 588	1400	FedEx 0037811_UK_2023995286_pdf.exe	28

C:\Users\Admin\AppData\Local\Temp\FedEx 0037811_UK_2023995286_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx 0037811_UK_2023995286_pdf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\FedEx 0037811_UK_2023995286_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\FedEx 0037811_UK_2023995286_pdf.exe"
  2⤵
  PID:588

Network

DNS

geoplugin.net

FedEx 0037811_UK_2023995286_pdf.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

FedEx 0037811_UK_2023995286_pdf.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Fri, 05 May 2023 11:15:57 GMT
server: Apache
content-length: 930
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *

64.112.85.218:4888

tls

FedEx 0037811_UK_2023995286_pdf.exe

3.3kB
1.8kB
14
17
178.237.33.50:80

http://geoplugin.net/json.gp

http

FedEx 0037811_UK_2023995286_pdf.exe

577 B
2.4kB
11
4

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

geoplugin.net

dns

FedEx 0037811_UK_2023995286_pdf.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst74D5.tmp\yfmnzyw.dll

Filesize
12KB

MD5
f8bc5c1234fa8df202017a16f6089a8e

SHA1
2a01dbbd7a406233bf210715e8717ea3143be025

SHA256
613e951602b9f6453f8a2b8b152fced5d6927fec4ff6d18408196949b46c5cba

SHA512
32375aba9e43fe0f396d96886e3b695eb31be6e2c3594f5ac7db75a0bbb39996401c11aa41cd03fbb4126312bf7f5e7e93631dde3bb3789c71f4855f3a310379

Download Submit
\Users\Admin\AppData\Local\Temp\nst74D5.tmp\yfmnzyw.dll

Filesize
12KB

MD5
f8bc5c1234fa8df202017a16f6089a8e

SHA1
2a01dbbd7a406233bf210715e8717ea3143be025

SHA256
613e951602b9f6453f8a2b8b152fced5d6927fec4ff6d18408196949b46c5cba

SHA512
32375aba9e43fe0f396d96886e3b695eb31be6e2c3594f5ac7db75a0bbb39996401c11aa41cd03fbb4126312bf7f5e7e93631dde3bb3789c71f4855f3a310379

Download Submit
memory/588-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/588-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1400-62-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.