remcos | 09fbc9ef18c64027c5bf9b1a89d46e2561e0eabc77f3fe1e22c39244a017370a

General

Target

Πληρωμή298434801TT.rtf
Size

32KB
MD5

9cb89bef1811eba255e7b7031218a10f
SHA1

57e58bf2ea5da5130aa375928bb366d0cabcb09f
SHA256

09fbc9ef18c64027c5bf9b1a89d46e2561e0eabc77f3fe1e22c39244a017370a
SHA512

1afd4e122fc4286d5f4fb4e4ccbcd3c7698a871d31f7bace0efce265d42bbe0bb7244128488ec15e24076e382cdfcc9276502ab0d504d71ff3bf5f242a70efd1
SSDEEP

768:vFx0XaIsnPRIa4fwJMPJ12uTyXpcdRbb3vgPcxOSKVuT:vf0Xvx3EMv/uXpcLLvMEZT

Score

10^/10

remcos htfruning rat

Malware Config

Extracted

Family

remcos

Botnet

Htfruning

C2

seanblacin.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
htfruning.exe
copy_folder
Htfruning
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
htfruning
mouse_option
false
mutex
Rmc-BIDEV2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2324	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3044	plugmperier457846.exe
2708	plugmperier457846.exe

Loads dropped DLL 1 IoCs

pid	Process
2324	EQNEDT32.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2708	3044	plugmperier457846.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2324	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2216	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2216	WINWORD.EXE
2216	WINWORD.EXE
2708	plugmperier457846.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3044	2324	EQNEDT32.EXE	30
PID 2324 wrote to memory of 3044	2324	EQNEDT32.EXE	30
PID 2324 wrote to memory of 3044	2324	EQNEDT32.EXE	30
PID 2324 wrote to memory of 3044	2324	EQNEDT32.EXE	30
PID 2216 wrote to memory of 2820	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2820	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2820	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2820	2216	WINWORD.EXE	33
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34
PID 3044 wrote to memory of 2708	3044	plugmperier457846.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Πληρωμή298434801TT.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2820

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\plugmperier457846.exe
  "C:\Users\Admin\AppData\Roaming\plugmperier457846.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Roaming\plugmperier457846.exe
    "C:\Users\Admin\AppData\Roaming\plugmperier457846.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\htfruning\logs.dat

Filesize
234B

MD5
798db62c32e1a4d683ceeedb27889a39

SHA1
b91ae393062ef28f49eda72c038132d40a3c524a

SHA256
bdd7a93b14ce12d391a3041a3443d9bcff4729fb7ebcb584fb389d65aed78881

SHA512
450ace0979c74c426587e21a7d51d8580ee390f70f4008daca4255bc2340c3a25889e397e4c7a88eeff97e67a6b1dbaf00d46aa1aa9b6969e48dae6d38a8bc1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9674269d1bc66fa59b040a0b94ffe96a

SHA1
7e295dbb45fddbd115450aecc506361f230f5fd2

SHA256
eddaf9af82fa6ebf250830858be93540616a2720195604d56399d4985c1249d1

SHA512
34947b85da0ca4f1e0dc58dd8014e943bd5ef8f2fa9a39e66086d6f6485768f8a1b033551e164153b8fb59abe20de71f4ddcbc4671aaf7293f80571b9b96f5a5

Download Submit
C:\Users\Admin\AppData\Roaming\plugmperier457846.exe

Filesize
917KB

MD5
53c2300cd80cc19026ff56c95835ecc9

SHA1
f66b14b681aa9d71a884930fd5c6dc79fdbb0400

SHA256
99ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587

SHA512
38c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954

Download Submit
C:\Users\Admin\AppData\Roaming\plugmperier457846.exe

Filesize
917KB

MD5
53c2300cd80cc19026ff56c95835ecc9

SHA1
f66b14b681aa9d71a884930fd5c6dc79fdbb0400

SHA256
99ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587

SHA512
38c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954

Download Submit
C:\Users\Admin\AppData\Roaming\plugmperier457846.exe

Filesize
917KB

MD5
53c2300cd80cc19026ff56c95835ecc9

SHA1
f66b14b681aa9d71a884930fd5c6dc79fdbb0400

SHA256
99ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587

SHA512
38c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954

Download Submit
C:\Users\Admin\AppData\Roaming\plugmperier457846.exe

Filesize
917KB

MD5
53c2300cd80cc19026ff56c95835ecc9

SHA1
f66b14b681aa9d71a884930fd5c6dc79fdbb0400

SHA256
99ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587

SHA512
38c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954

Download Submit
\Users\Admin\AppData\Roaming\plugmperier457846.exe

Filesize
917KB

MD5
53c2300cd80cc19026ff56c95835ecc9

SHA1
f66b14b681aa9d71a884930fd5c6dc79fdbb0400

SHA256
99ed6e63a6e0562da0a4accc3c868a50a04e5c4f7757c99808eddf6979b84587

SHA512
38c4a03c1433977199bf938352df964e3976a197810d8a728e01d58ab2e7e356f0e866f96bf68b195d14c5949a30de397fb8adbee0b3642305c42f0fb3712954

Download Submit
memory/2216-132-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2216-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2708-96-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-93-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-78-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-79-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-80-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-81-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-82-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-84-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-85-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-87-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-90-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-91-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-142-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-94-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-95-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-136-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-97-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-104-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-106-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-107-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2708-135-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3044-68-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/3044-66-0x0000000001260000-0x000000000134C000-memory.dmp

Filesize
944KB

Download
memory/3044-69-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/3044-74-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/3044-77-0x0000000005740000-0x00000000057F8000-memory.dmp

Filesize
736KB

Download
memory/3044-76-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing