remcos | 5bf3f7baa22f254ac5dfd3383902f12f07706ecbd6913cff25548cb9c8f68c54

General

Target

0987654000090000.exe
Size

463KB
MD5

ac851f5b083c90453be2536fb7cf8eb0
SHA1

65832ec449c430855a54607908d71d58896293ff
SHA256

ac9790802a041c8d44f6bd430e0cc97ab9f452445aca1706acfe05851f7ce8a3
SHA512

9914deaae2c36d9b61da41bcd7cc2152083b715c48423df9625183a829e61d244ba67794776ab2669975189fe28b5da65dde1d24f230613be784307767ff3fa6
SSDEEP

6144:M8LxBwEVDPYW8JlHZB97/vh9122pfz0ryHoAtk9t/xiXT1yFahtXBpve5CzmTc/G:8uY3jZX7r12ZryIAtkvWpOstuCzJTHi

Score

10^/10

remcos remotehost persistence rat upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-IZFV1M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
4968	vqtemi.exe
2152	vqtemi.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2152-8-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-10-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-11-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-15-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-17-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-16-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-13-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-12-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-22-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-23-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-28-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-29-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-34-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-36-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-41-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-42-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-47-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-48-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-54-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2152-55-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgcktpyienjsc = "C:\\Users\\Admin\\AppData\\Roaming\\ejsoxt\\dmirb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vqtemi.exe\" "	vqtemi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4968 set thread context of 2152	4968	vqtemi.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4968	vqtemi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2152	vqtemi.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4968	868	0987654000090000.exe	87
PID 868 wrote to memory of 4968	868	0987654000090000.exe	87
PID 868 wrote to memory of 4968	868	0987654000090000.exe	87
PID 4968 wrote to memory of 2152	4968	vqtemi.exe	91
PID 4968 wrote to memory of 2152	4968	vqtemi.exe	91
PID 4968 wrote to memory of 2152	4968	vqtemi.exe	91
PID 4968 wrote to memory of 2152	4968	vqtemi.exe	91

C:\Users\Admin\AppData\Local\Temp\0987654000090000.exe
"C:\Users\Admin\AppData\Local\Temp\0987654000090000.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\vqtemi.exe
  "C:\Users\Admin\AppData\Local\Temp\vqtemi.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\vqtemi.exe
    "C:\Users\Admin\AppData\Local\Temp\vqtemi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
1be77d13d5b3d5adfad22fabd1f9f970

SHA1
6fd7ad66aaa2655ce871821c85f30f2553deb60c

SHA256
9e1bc91abf61122efc642e74de141731f2360de9d83dfc25993a287e88eff5e9

SHA512
fffa1417b1466d0e22e1a18c699d2decba320f124b4bed15c58d5b40733f87ef54e415d170c319083da039969fe9950ed02a268877cf9738ef612a2f4bc1e201

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyhgd.jer

Filesize
252KB

MD5
ca7ad6c734d55aac2eef45faca75cc65

SHA1
7599b53f8858ab8bad4770d87c50e74550c4cf6a

SHA256
6af23d92e5bac4cd6d762dd4303753977ade5385c0184ce1cacc5b18ced1935f

SHA512
21e36792ac556263fcc7675f07499ae972b22b3fb742b32f5adbc7fc5eb77ffd39132f7351b4b0941305e840afbab853deaac21a44f264055d232bfd48677a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqtemi.exe

Filesize
298KB

MD5
734c4492a033a663f9bfc2c2c8dfe824

SHA1
c5fb75bb9b28bdeded604822b9a5c286aebadcdc

SHA256
e9c38d8b535141fe9bbc3c6fb57b74bf94f31dbdeea49eab9940678f0864bc47

SHA512
e3ba69173c259e40839ab88d9f30f81d7dade7c4bea1ed2ce85c1cff34dc7cbfe5d3ac0afa2823980be6fcf0470adb9a1d81120a684d4ef3ad1f380e1a199a7f

Download Submit
memory/2152-23-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-28-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-11-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-15-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-16-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-12-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-22-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-55-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-10-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-29-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-34-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-36-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-41-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-42-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-47-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-48-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2152-54-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4968-5-0x00000000030F0000-0x00000000030F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads