remcos | 13dd11b3e53b4f4def0c6001cc53f4f045da686b185d8b0173596183e4304337

General

Target

Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
Size

1.7MB
MD5

174186df70e4b6a5954b8e83d9b9c0ae
SHA1

4d8147d8be5e02e62bf6bce97847899a51175c63
SHA256

150aeb0ee665a8563dcd2a54ce11d4afa1ef4afd58b3ccd174de2e48279a3dea
SHA512

c1f2986d270d6aa39e874b9acad2054ffedae8db09d1e3a5adc5d3d39b20942ac29d6547c7cad0e2b6e045756b665d5de47067879bc2d0b2117bc64e0528c735
SSDEEP

24576:MvWQq7wCeR71MJtcYAe4nJn+InCfvnEUujLr6zOaeyUgC3W3UIKac3ucFSkkNMYL:Ulq0gJx4JnhnCX0Pr6zO/ICEKzqHcc

Score

10^/10

remcos usenet persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.7 Pro

Botnet

USENET

C2

ctbcbk.us:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sjn7z137u8193.exe
copy_folder
j7u82jio1
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rem
keylog_path
%AppData%
mouse_option
false
mutex
USE72s-DE7MR0
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
shuu821k23k
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
electrum;wallet;bitcoin;crypto;exodus;bitcoin wallet;ethereum;advcash;authy;google authenticator

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\90i1ikosp09i12o\\0HdtykbaWWBu.exe\",explorer.exe"	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3168 set thread context of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
File opened for modification	C:\Windows\assembly	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
File created	C:\Windows\assembly\Desktop.ini	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
992	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
992	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 3340	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	84
PID 3168 wrote to memory of 3340	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	84
PID 3168 wrote to memory of 3340	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	84
PID 3168 wrote to memory of 2032	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	85
PID 3168 wrote to memory of 2032	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	85
PID 3168 wrote to memory of 2032	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	85
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86
PID 3168 wrote to memory of 992	3168	Loops for ACID - The Fish Heads - Techno Synth Loops I.exe	86

C:\Users\Admin\AppData\Local\Temp\Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
"C:\Users\Admin\AppData\Local\Temp\Loops for ACID - The Fish Heads - Techno Synth Loops I.exe"
1⤵
- Modifies WinLogon for persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
  "C:\Users\Admin\AppData\Local\Temp\Loops for ACID - The Fish Heads - Techno Synth Loops I.exe"
  2⤵
  PID:3340
- C:\Users\Admin\AppData\Local\Temp\Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
  "C:\Users\Admin\AppData\Local\Temp\Loops for ACID - The Fish Heads - Techno Synth Loops I.exe"
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Loops for ACID - The Fish Heads - Techno Synth Loops I.exe
  "C:\Users\Admin\AppData\Local\Temp\Loops for ACID - The Fish Heads - Techno Synth Loops I.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rem\logs.dat

Filesize
79B

MD5
c692c67e0ce9ae662a34746899dee809

SHA1
3c582ed89afcdf0681a7d4d8d31cb78da4b8268b

SHA256
ba864ba373c5d474ee097280413bc52d2f949ecd039d2179d80378761c848cf5

SHA512
5635250511fc5fa6ca933e24eca980dd00640c20a4b2f18ac2abcb6b144dec0fbcd0e8e473823f9f200668017a9bdf9c125a4cc94cd60db8b89b2a31cb1d614e

Download Submit
memory/992-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-141-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-151-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3168-133-0x00000000014A0000-0x00000000014B0000-memory.dmp

Filesize
64KB

Download
memory/3168-136-0x00000000014A0000-0x00000000014B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing