remcos | 5bf3f7baa22f254ac5dfd3383902f12f07706ecbd6913cff25548cb9c8f68c54

General

Target

0987654000090000.exe
Size

463KB
MD5

ac851f5b083c90453be2536fb7cf8eb0
SHA1

65832ec449c430855a54607908d71d58896293ff
SHA256

ac9790802a041c8d44f6bd430e0cc97ab9f452445aca1706acfe05851f7ce8a3
SHA512

9914deaae2c36d9b61da41bcd7cc2152083b715c48423df9625183a829e61d244ba67794776ab2669975189fe28b5da65dde1d24f230613be784307767ff3fa6
SSDEEP

6144:M8LxBwEVDPYW8JlHZB97/vh9122pfz0ryHoAtk9t/xiXT1yFahtXBpve5CzmTc/G:8uY3jZX7r12ZryIAtkvWpOstuCzJTHi

Score

10^/10

remcos remotehost persistence rat upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-IZFV1M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
956	vqtemi.exe
2864	vqtemi.exe
1576	vqtemi.exe

Loads dropped DLL 4 IoCs

pid	Process
2172	0987654000090000.exe
2172	0987654000090000.exe
956	vqtemi.exe
956	vqtemi.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1576-18-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-16-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-20-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-24-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-26-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-25-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-22-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-21-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-19-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-31-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-32-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-37-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-38-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-44-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-45-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-50-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-51-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-56-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-58-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-63-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1576-64-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgcktpyienjsc = "C:\\Users\\Admin\\AppData\\Roaming\\ejsoxt\\dmirb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vqtemi.exe\" "	vqtemi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 1576	956	vqtemi.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
956	vqtemi.exe
956	vqtemi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1576	vqtemi.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 956	2172	0987654000090000.exe	28
PID 2172 wrote to memory of 956	2172	0987654000090000.exe	28
PID 2172 wrote to memory of 956	2172	0987654000090000.exe	28
PID 2172 wrote to memory of 956	2172	0987654000090000.exe	28
PID 956 wrote to memory of 2864	956	vqtemi.exe	29
PID 956 wrote to memory of 2864	956	vqtemi.exe	29
PID 956 wrote to memory of 2864	956	vqtemi.exe	29
PID 956 wrote to memory of 2864	956	vqtemi.exe	29
PID 956 wrote to memory of 1576	956	vqtemi.exe	30
PID 956 wrote to memory of 1576	956	vqtemi.exe	30
PID 956 wrote to memory of 1576	956	vqtemi.exe	30
PID 956 wrote to memory of 1576	956	vqtemi.exe	30
PID 956 wrote to memory of 1576	956	vqtemi.exe	30

C:\Users\Admin\AppData\Local\Temp\0987654000090000.exe
"C:\Users\Admin\AppData\Local\Temp\0987654000090000.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\vqtemi.exe
  "C:\Users\Admin\AppData\Local\Temp\vqtemi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\vqtemi.exe
    "C:\Users\Admin\AppData\Local\Temp\vqtemi.exe"
    3⤵
    - Executes dropped EXE
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\vqtemi.exe
    "C:\Users\Admin\AppData\Local\Temp\vqtemi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c80e6eccad68627692a5fc7ae75c3a20

SHA1
28efbec07bf1c35b90dfa8059c11c438dfe7ee98

SHA256
e7737278606b8f42ad9b7ca1f7a712303aefd1c327dc643aa7e839249fe61059

SHA512
16763093cab87245f1f5e3c62b13163070e34d27e3f81bf19d0fb44d2e682c4374aaa960e431ef5321e807cd8ef38deb11215d1d2481efed9d5b9a9f391f0d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyhgd.jer

Filesize
252KB

MD5
ca7ad6c734d55aac2eef45faca75cc65

SHA1
7599b53f8858ab8bad4770d87c50e74550c4cf6a

SHA256
6af23d92e5bac4cd6d762dd4303753977ade5385c0184ce1cacc5b18ced1935f

SHA512
21e36792ac556263fcc7675f07499ae972b22b3fb742b32f5adbc7fc5eb77ffd39132f7351b4b0941305e840afbab853deaac21a44f264055d232bfd48677a10

Download Submit
\Users\Admin\AppData\Local\Temp\vqtemi.exe

Filesize
298KB

MD5
734c4492a033a663f9bfc2c2c8dfe824

SHA1
c5fb75bb9b28bdeded604822b9a5c286aebadcdc

SHA256
e9c38d8b535141fe9bbc3c6fb57b74bf94f31dbdeea49eab9940678f0864bc47

SHA512
e3ba69173c259e40839ab88d9f30f81d7dade7c4bea1ed2ce85c1cff34dc7cbfe5d3ac0afa2823980be6fcf0470adb9a1d81120a684d4ef3ad1f380e1a199a7f

Download Submit
memory/956-9-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/1576-31-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-37-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-24-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-26-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-25-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-22-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-21-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-19-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-16-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-32-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-18-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-20-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-38-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-44-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-45-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-50-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-51-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-56-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-58-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-63-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1576-64-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads