remcos | cd87df4de222e57b4a9426eb12eaa4ea5af3e1bd7a3a3801f235b50d2b8443c0

General

Target

167d4dc0ea6322fb7123af5e5511a168.exe
Size

809KB
MD5

167d4dc0ea6322fb7123af5e5511a168
SHA1

6ec775aa75e806401f229a01802a508aa2f34cf2
SHA256

cd87df4de222e57b4a9426eb12eaa4ea5af3e1bd7a3a3801f235b50d2b8443c0
SHA512

5a38539bb04a1b0423894431df53674d172be3c8d68db836c93e20ec4d842be97a139aeee5cda9b04ed8daa13b4f477f8c9de948fc92d44fe3b9da964567db10
SSDEEP

12288:zG/onGprkMB62cAyPacr+DV8zNYREk7joM9uaHgVnHGAvKY:X062cSEk8zNYeM8wXgVnHDyY

Score

10^/10

remcos 5001 rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

5001

C2

168.119.2.184:5001

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
logss
keylog_path
%Temp%
mouse_option
false
mutex
Remcos-KEN7WH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	167d4dc0ea6322fb7123af5e5511a168.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iesysprep.lnk	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 1144	4692	MSBuild.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	167d4dc0ea6322fb7123af5e5511a168.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1144	RegAsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4904	4792	167d4dc0ea6322fb7123af5e5511a168.exe	31
PID 4792 wrote to memory of 4904	4792	167d4dc0ea6322fb7123af5e5511a168.exe	31
PID 4792 wrote to memory of 4904	4792	167d4dc0ea6322fb7123af5e5511a168.exe	31
PID 4904 wrote to memory of 4692	4904	mshta.exe	100
PID 4904 wrote to memory of 4692	4904	mshta.exe	100
PID 4904 wrote to memory of 4692	4904	mshta.exe	100
PID 4692 wrote to memory of 4608	4692	MSBuild.exe	103
PID 4692 wrote to memory of 4608	4692	MSBuild.exe	103
PID 4692 wrote to memory of 4608	4692	MSBuild.exe	103
PID 4608 wrote to memory of 5068	4608	csc.exe	104
PID 4608 wrote to memory of 5068	4608	csc.exe	104
PID 4608 wrote to memory of 5068	4608	csc.exe	104
PID 4692 wrote to memory of 1112	4692	MSBuild.exe	107
PID 4692 wrote to memory of 1112	4692	MSBuild.exe	107
PID 4692 wrote to memory of 1112	4692	MSBuild.exe	107
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106
PID 4692 wrote to memory of 1144	4692	MSBuild.exe	106

C:\Users\Admin\AppData\Local\Temp\167d4dc0ea6322fb7123af5e5511a168.exe
"C:\Users\Admin\AppData\Local\Temp\167d4dc0ea6322fb7123af5e5511a168.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iesysprep.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\AppData\iesysprep.url"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gg5dl4oe\gg5dl4oe.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6949.tmp" "c:\Users\Admin\AppData\Local\Temp\gg5dl4oe\CSC45E8CFFCCEFA45E090F58C23263D6BAF.TMP"
        5⤵
        
        PID:5068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1144
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\logss\logs.dat

Filesize
114B

MD5
19fddc4719e555724c66cfacd466f1e5

SHA1
d104f53b459e81834371cec40496cf0d4a171d84

SHA256
a55843d24c78a9eeced0ba2fcd82aa63ee843d2a030dadc94377ce2a39e1a6c4

SHA512
87f918efe91b0cd61baa1b9dc151795f7ef821ca4d6281268f8210bb9c9c4a386813af2463e3404514f32afbdf25ffd494334421c503ec684294912599a5adfd

Download Submit
memory/1144-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1144-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1144-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1144-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1144-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1144-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4692-10-0x0000000005020000-0x0000000005050000-memory.dmp

Filesize
192KB

Download
memory/4692-14-0x0000000005F00000-0x000000000607C000-memory.dmp

Filesize
1.5MB

Download
memory/4692-15-0x0000000006270000-0x00000000065D6000-memory.dmp

Filesize
3.4MB

Download
memory/4692-30-0x0000000005B90000-0x0000000005BBA000-memory.dmp

Filesize
168KB

Download
memory/4692-12-0x0000000005CA0000-0x0000000005DC2000-memory.dmp

Filesize
1.1MB

Download
memory/4692-13-0x0000000005BC0000-0x0000000005C04000-memory.dmp

Filesize
272KB

Download
memory/4692-43-0x0000000070900000-0x00000000710B0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-5-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/4692-9-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4692-7-0x0000000001160000-0x000000000117A000-memory.dmp

Filesize
104KB

Download
memory/4692-8-0x0000000005270000-0x00000000053CA000-memory.dmp

Filesize
1.4MB

Download
memory/4692-35-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4692-6-0x0000000070900000-0x00000000710B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing