remcos | 6a7e9302a2021b26270808b18e5701732e1f063bbe32223b6b1952852c86aa21

General

Target

HSBC TT PAYMENT INVOICE 201.exe
Size

1.5MB
MD5

5f99eee968415ded76c49d8841f04276
SHA1

5871818f94cd8c5305a523c20666f3aec577899c
SHA256

6a7e9302a2021b26270808b18e5701732e1f063bbe32223b6b1952852c86aa21
SHA512

d7b154f9d3574e37d79031094e7e4126f500f847f21c6c72d4fddf00e7f917c2d7189b829377a3f743e4dcd7327720bde88f76bbeff18382220b5c41f2dd8085
SSDEEP

24576:+DPTrJ9EPegxSA41yyhgD7pnhztkcJbyTxP67AUxlSizlYxKFz6N0:aR1Xg/pnhztxWxP6LSizl4KFg

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.212.81.155:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GY4RIT
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	HSBC TT PAYMENT INVOICE 201.exe

Executes dropped EXE 1 IoCs

pid	Process
864	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-GY4RIT = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	HSBC TT PAYMENT INVOICE 201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-GY4RIT = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	HSBC TT PAYMENT INVOICE 201.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 2912 wrote to memory of 4408	2912	HSBC TT PAYMENT INVOICE 201.exe	91
PID 4408 wrote to memory of 864	4408	HSBC TT PAYMENT INVOICE 201.exe	92
PID 4408 wrote to memory of 864	4408	HSBC TT PAYMENT INVOICE 201.exe	92
PID 4408 wrote to memory of 864	4408	HSBC TT PAYMENT INVOICE 201.exe	92

C:\Users\Admin\AppData\Local\Temp\HSBC TT PAYMENT INVOICE 201.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC TT PAYMENT INVOICE 201.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\HSBC TT PAYMENT INVOICE 201.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
1.5MB

MD5
5f99eee968415ded76c49d8841f04276

SHA1
5871818f94cd8c5305a523c20666f3aec577899c

SHA256
6a7e9302a2021b26270808b18e5701732e1f063bbe32223b6b1952852c86aa21

SHA512
d7b154f9d3574e37d79031094e7e4126f500f847f21c6c72d4fddf00e7f917c2d7189b829377a3f743e4dcd7327720bde88f76bbeff18382220b5c41f2dd8085

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.5MB

MD5
5f99eee968415ded76c49d8841f04276

SHA1
5871818f94cd8c5305a523c20666f3aec577899c

SHA256
6a7e9302a2021b26270808b18e5701732e1f063bbe32223b6b1952852c86aa21

SHA512
d7b154f9d3574e37d79031094e7e4126f500f847f21c6c72d4fddf00e7f917c2d7189b829377a3f743e4dcd7327720bde88f76bbeff18382220b5c41f2dd8085

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.5MB

MD5
5f99eee968415ded76c49d8841f04276

SHA1
5871818f94cd8c5305a523c20666f3aec577899c

SHA256
6a7e9302a2021b26270808b18e5701732e1f063bbe32223b6b1952852c86aa21

SHA512
d7b154f9d3574e37d79031094e7e4126f500f847f21c6c72d4fddf00e7f917c2d7189b829377a3f743e4dcd7327720bde88f76bbeff18382220b5c41f2dd8085

Download Submit
memory/864-28-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/864-27-0x0000000073B20000-0x00000000742D0000-memory.dmp

Filesize
7.7MB

Download
memory/2912-5-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/2912-4-0x00000000061E0000-0x0000000006784000-memory.dmp

Filesize
5.6MB

Download
memory/2912-7-0x0000000005C90000-0x0000000005CE6000-memory.dmp

Filesize
344KB

Download
memory/2912-8-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2912-1-0x0000000000DA0000-0x0000000000F2C000-memory.dmp

Filesize
1.5MB

Download
memory/2912-2-0x00000000058F0000-0x000000000598C000-memory.dmp

Filesize
624KB

Download
memory/2912-3-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/2912-13-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2912-6-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/2912-0-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4408-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4408-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4408-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4408-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4408-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads