remcos | 7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e

General

Target

file.exe
Size

14KB
MD5

f503da8eee4e7cd822239110b488b08b
SHA1

f122b5169aaf28a0906b16255cb0e4490dcfd62e
SHA256

7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e
SHA512

9fa6fa5e0e78ecf94125584074a094625b6e61cdc6c46f5ec102a42d6ef5bf32446b4b7789e27efd250eb4c49c9b9c6f05961058017bcedd73a6ac62fa16fb9e
SSDEEP

384:N6P1J3MxbGglqBcpnHp//UeUB7Eb2eqJT:N6dkQBcLSB7Eb21t

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomiana.duckdns.org:30491

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EORWFM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation file.exe
Executes dropped EXE 1 IoCs

Processes:

YY.exe

pid process

3664 YY.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

YY.exe

description pid process target process

PID 3664 set thread context of 3236 3664 YY.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 5084 file.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	file.exe

pid	process
3664	YY.exe

description	pid	process	target process
PID 3664 set thread context of 3236	3664	YY.exe	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	5084	file.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

file.execmd.exeYY.exe

description	pid	process	target process
PID 5084 wrote to memory of 3664	5084	file.exe	YY.exe
PID 5084 wrote to memory of 3664	5084	file.exe	YY.exe
PID 5084 wrote to memory of 3472	5084	file.exe	cmd.exe
PID 5084 wrote to memory of 3472	5084	file.exe	cmd.exe
PID 5084 wrote to memory of 3472	5084	file.exe	cmd.exe
PID 3472 wrote to memory of 1704	3472	cmd.exe	choice.exe
PID 3472 wrote to memory of 1704	3472	cmd.exe	choice.exe
PID 3472 wrote to memory of 1704	3472	cmd.exe	choice.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe
PID 3664 wrote to memory of 3236	3664	YY.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
3⤵
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
memory/3236-162-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-157-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-167-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-166-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-149-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-151-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-152-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-154-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-155-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-165-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-158-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-160-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-161-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-164-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3236-163-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3664-148-0x0000025107C30000-0x0000025107CB4000-memory.dmp

Filesize
528KB

Download
memory/5084-133-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/5084-135-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/5084-134-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing