remcos | 9ef9b4a8ab8366ea77b049febf61fd2003aa90b9b38f5c301bff8a60a0feef24

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
20/11/2023, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jurojarem2.1.exe
Size

572KB
MD5

0a1d0f4a278dff187347c1544ab3dc6a
SHA1

765e25fcbbdb651ae743dede4a50f10cc672e915
SHA256

9ef9b4a8ab8366ea77b049febf61fd2003aa90b9b38f5c301bff8a60a0feef24
SHA512

4aba1511baf640947fe77d15c44e27b28bd8d1eb18c8e2136228630910384902ba891cf630ad39fa3a4893196c3490d109722f8fd292447516b364292ed5b385
SSDEEP

12288:HVzaqD3kmx8ROJVT7WPBL4lbeItG74jdzGa0oiN/uucM/9:1zNDv8kJ57W2lb/GQGv5

Score

10^/10

remcos jujufile persistence rat

Malware Config

Extracted

Family

remcos

Botnet

jujufile

sheddy1122.ddns.net:6524

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-YCH6KL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2060	nrcrae.exe
2728	nrcrae.exe

Loads dropped DLL 3 IoCs

pid	Process
1824	jurojarem2.1.exe
1824	jurojarem2.1.exe
2060	nrcrae.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyuuennjsc = "C:\\Users\\Admin\\AppData\\Roaming\\oxttdmmhqq\\mvvfbkktp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nrcrae.exe\" "	nrcrae.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2728	2060	nrcrae.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2060	nrcrae.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2060	1824	jurojarem2.1.exe	28
PID 1824 wrote to memory of 2060	1824	jurojarem2.1.exe	28
PID 1824 wrote to memory of 2060	1824	jurojarem2.1.exe	28
PID 1824 wrote to memory of 2060	1824	jurojarem2.1.exe	28
PID 2060 wrote to memory of 2728	2060	nrcrae.exe	29
PID 2060 wrote to memory of 2728	2060	nrcrae.exe	29
PID 2060 wrote to memory of 2728	2060	nrcrae.exe	29
PID 2060 wrote to memory of 2728	2060	nrcrae.exe	29
PID 2060 wrote to memory of 2728	2060	nrcrae.exe	29

C:\Users\Admin\AppData\Local\Temp\jurojarem2.1.exe
"C:\Users\Admin\AppData\Local\Temp\jurojarem2.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\nrcrae.exe
  "C:\Users\Admin\AppData\Local\Temp\nrcrae.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\nrcrae.exe
    "C:\Users\Admin\AppData\Local\Temp\nrcrae.exe"
    3⤵
    - Executes dropped EXE
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nrcrae.exe

Filesize
191KB

MD5
ee99fc55b29a46169f0540aeb0bca165

SHA1
01a548e1c1f25ef3fc9bb0b9de385e9c36282033

SHA256
7f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3

SHA512
57cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrcrae.exe

Filesize
191KB

MD5
ee99fc55b29a46169f0540aeb0bca165

SHA1
01a548e1c1f25ef3fc9bb0b9de385e9c36282033

SHA256
7f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3

SHA512
57cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrcrae.exe

Filesize
191KB

MD5
ee99fc55b29a46169f0540aeb0bca165

SHA1
01a548e1c1f25ef3fc9bb0b9de385e9c36282033

SHA256
7f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3

SHA512
57cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrcrae.exe

Filesize
191KB

MD5
ee99fc55b29a46169f0540aeb0bca165

SHA1
01a548e1c1f25ef3fc9bb0b9de385e9c36282033

SHA256
7f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3

SHA512
57cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmexolwodq.pd

Filesize
503KB

MD5
5ea8e75765169d06ea196ff8199f776f

SHA1
4ed58a9bab8b37909c4e56cc5c436d685cc5cd5e

SHA256
fbfa13ab9d91adbadf4080bbdd528deaae39a252a2da31e29415db9372657436

SHA512
a03d986037667d41c0413aacf1ee0fa70e240d9e652da73a633b02d2f78d1f6ffcb3b554c173398f769890489106015938f0687ea34eb723200b7bb678e3409f

Download Submit
\Users\Admin\AppData\Local\Temp\nrcrae.exe

Filesize
191KB

MD5
ee99fc55b29a46169f0540aeb0bca165

SHA1
01a548e1c1f25ef3fc9bb0b9de385e9c36282033

SHA256
7f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3

SHA512
57cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf

Download Submit
\Users\Admin\AppData\Local\Temp\nrcrae.exe

Filesize
191KB

MD5
ee99fc55b29a46169f0540aeb0bca165

SHA1
01a548e1c1f25ef3fc9bb0b9de385e9c36282033

SHA256
7f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3

SHA512
57cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf

Download Submit
\Users\Admin\AppData\Local\Temp\nrcrae.exe

Filesize
191KB

MD5
ee99fc55b29a46169f0540aeb0bca165

SHA1
01a548e1c1f25ef3fc9bb0b9de385e9c36282033

SHA256
7f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3

SHA512
57cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf

Download Submit
memory/2060-9-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download
memory/2728-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2728-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads