remcos | 387e3c8f0f29348afcc2d36af37d6fd81a5a8dde21c8b46f41dbe879679cb2ca

Reason

Machine shutdown

General

Target

23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe
Size

1.2MB
MD5

dc6f55b6ce634ecd409dc535053ebdbc
SHA1

2cb8ccf33e22b46b3ea722548ec34a8167a38a67
SHA256

387e3c8f0f29348afcc2d36af37d6fd81a5a8dde21c8b46f41dbe879679cb2ca
SHA512

03909ef39916c16dd5e9d67f33038db2fb893b8a857f466c6a88fe1ed9f13bf6065159e0d1dca7cce7cd11976f394a9f3f07d226f37cbe58c722b075be3d4c88
SSDEEP

24576:oNgEFPPPPPPPPPPPPPZzOzKGeSAP1ywj7lGvM+M/MOHNtl/XmKOWrhsUwx:qgy75NywjQkhkOHNtl/XmPWyUwx

Score

10^/10

remcos crypted persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

ourt2949aslumes9.duckdns.org:2401

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
paqlgkfs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
ourvbpld-RBN2WW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Loads dropped DLL 2 IoCs

Processes:

23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

pid process

1648 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe
1648 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

pid	process
1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe
1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\koldstartsproblemet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Melodyless\\udkantsomraader.exe"	wab.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2888 wab.exe
2888 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

23IK-1799-REF09NSEP-GERMAMY-TBILIS.exewab.exe

pid process

1648 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe
2888 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

description pid process target process

PID 1648 set thread context of 2888 1648 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe wab.exe
Drops file in Windows directory 1 IoCs

Processes:

23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

description ioc process

File opened for modification C:\Windows\Beguilement137\biurea.flu 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

pid process

1648 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2888 wab.exe

pid	process
2888	wab.exe
2888	wab.exe

pid	process
1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe
2888	wab.exe

description	pid	process	target process
PID 1648 set thread context of 2888	1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe	wab.exe

description	ioc	process
File opened for modification	C:\Windows\Beguilement137\biurea.flu	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

pid	process
1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

pid	process
2888	wab.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe

description	pid	process	target process
PID 1648 wrote to memory of 2888	1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe	wab.exe
PID 1648 wrote to memory of 2888	1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe	wab.exe
PID 1648 wrote to memory of 2888	1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe	wab.exe
PID 1648 wrote to memory of 2888	1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe	wab.exe
PID 1648 wrote to memory of 2888	1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe	wab.exe
PID 1648 wrote to memory of 2888	1648	23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe
"C:\Users\Admin\AppData\Local\Temp\23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1648

C:\Program Files (x86)\windows mail\wab.exe
"C:\Users\Admin\AppData\Local\Temp\23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi4368.tmp\System.dll
Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4368.tmp\System.dll
Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4368.tmp\System.dll
Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
memory/1648-24-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/1648-25-0x0000000077660000-0x0000000077736000-memory.dmp

Filesize
856KB

Download
memory/1648-26-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2888-27-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2888-29-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-30-0x0000000000A60000-0x0000000005646000-memory.dmp

Filesize
75.9MB

Download
memory/2888-32-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-33-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-31-0x0000000000A60000-0x0000000005646000-memory.dmp

Filesize
75.9MB

Download
memory/2888-34-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-35-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-37-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-36-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-38-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-39-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-40-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-41-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-42-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-43-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-44-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-45-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-47-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-46-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-50-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-52-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-53-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-54-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-56-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-57-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-58-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-59-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-60-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-61-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-62-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-63-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-64-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-66-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-67-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-68-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-69-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-70-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-71-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-72-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-73-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-74-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-76-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-77-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-78-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-79-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-80-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-81-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-82-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-83-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-85-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-86-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-87-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-88-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-89-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-90-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-91-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-92-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download
memory/2888-93-0x00000000729F0000-0x0000000073A52000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads