remcos | 461dd41b2fd383a1e231f1c086fbe9b82aa7215a223777c06c139ecb1b043ac0

General

Target

4598e564d0d2833840b4f57e1440ea7a.exe
Size

10.6MB
MD5

4598e564d0d2833840b4f57e1440ea7a
SHA1

673f151991c49f6fe879b58e69e71f42c703abab
SHA256

461dd41b2fd383a1e231f1c086fbe9b82aa7215a223777c06c139ecb1b043ac0
SHA512

1a96c41a6153dcc0394c46a4c6586ce202f6135caebe191d5eb792ae8d85c9b44a1b3cb62d409b2e03d0450cb2859dc2793c57452ccf0a06970bd22857ac9bf0
SSDEEP

196608:i2Ipmss2BEIAFAMzVxS8ukp/ErGmIgi5+BFBEXAob6cdEn5s27CYmCMi8Hw:iasRARLS8np/ErGmPmXAobHd65sEtb8Q

Score

10^/10

remcos host rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

azdak.dynamic-dns.net:10666

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
july2021.exe
copy_folder
july2021
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_egjktweorc
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
asdfg
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
2208	protectionstartup3.exe
2904	protectionstartup3.exe
2632	idman639build1f.exe

Loads dropped DLL 10 IoCs

pid	Process
2408	4598e564d0d2833840b4f57e1440ea7a.exe
2408	4598e564d0d2833840b4f57e1440ea7a.exe
2408	4598e564d0d2833840b4f57e1440ea7a.exe
2408	4598e564d0d2833840b4f57e1440ea7a.exe
2408	4598e564d0d2833840b4f57e1440ea7a.exe
2208	protectionstartup3.exe
2408	4598e564d0d2833840b4f57e1440ea7a.exe
2408	4598e564d0d2833840b4f57e1440ea7a.exe
2408	4598e564d0d2833840b4f57e1440ea7a.exe
2408	4598e564d0d2833840b4f57e1440ea7a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2904	2208	protectionstartup3.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2036	PING.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2208	protectionstartup3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2208	protectionstartup3.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2208	2408	4598e564d0d2833840b4f57e1440ea7a.exe	28
PID 2408 wrote to memory of 2208	2408	4598e564d0d2833840b4f57e1440ea7a.exe	28
PID 2408 wrote to memory of 2208	2408	4598e564d0d2833840b4f57e1440ea7a.exe	28
PID 2408 wrote to memory of 2208	2408	4598e564d0d2833840b4f57e1440ea7a.exe	28
PID 2408 wrote to memory of 2208	2408	4598e564d0d2833840b4f57e1440ea7a.exe	28
PID 2408 wrote to memory of 2208	2408	4598e564d0d2833840b4f57e1440ea7a.exe	28
PID 2408 wrote to memory of 2208	2408	4598e564d0d2833840b4f57e1440ea7a.exe	28
PID 2208 wrote to memory of 2904	2208	protectionstartup3.exe	35
PID 2208 wrote to memory of 2904	2208	protectionstartup3.exe	35
PID 2208 wrote to memory of 2904	2208	protectionstartup3.exe	35
PID 2208 wrote to memory of 2904	2208	protectionstartup3.exe	35
PID 2208 wrote to memory of 2904	2208	protectionstartup3.exe	35
PID 2208 wrote to memory of 2904	2208	protectionstartup3.exe	35
PID 2208 wrote to memory of 2904	2208	protectionstartup3.exe	35
PID 2208 wrote to memory of 2904	2208	protectionstartup3.exe	35
PID 2408 wrote to memory of 2632	2408	4598e564d0d2833840b4f57e1440ea7a.exe	29
PID 2408 wrote to memory of 2632	2408	4598e564d0d2833840b4f57e1440ea7a.exe	29
PID 2408 wrote to memory of 2632	2408	4598e564d0d2833840b4f57e1440ea7a.exe	29
PID 2408 wrote to memory of 2632	2408	4598e564d0d2833840b4f57e1440ea7a.exe	29
PID 2408 wrote to memory of 2632	2408	4598e564d0d2833840b4f57e1440ea7a.exe	29
PID 2408 wrote to memory of 2632	2408	4598e564d0d2833840b4f57e1440ea7a.exe	29
PID 2408 wrote to memory of 2632	2408	4598e564d0d2833840b4f57e1440ea7a.exe	29

C:\Users\Admin\AppData\Local\Temp\4598e564d0d2833840b4f57e1440ea7a.exe
"C:\Users\Admin\AppData\Local\Temp\4598e564d0d2833840b4f57e1440ea7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\protectionstartup3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\protectionstartup3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\protectionstartup3.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\protectionstartup3.exe"
    3⤵
    - Executes dropped EXE
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\idman639build1f.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\idman639build1f.exe"
  2⤵
  - Executes dropped EXE
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    PID:2852

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
1⤵
- Runs ping.exe
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
1⤵
PID:1368
- C:\Users\Admin\AppData\Roaming\july2021\july2021.exe
  "C:\Users\Admin\AppData\Roaming\july2021\july2021.exe"
  2⤵
  PID:2928
- - C:\Users\Admin\AppData\Roaming\july2021\july2021.exe
    "C:\Users\Admin\AppData\Roaming\july2021\july2021.exe"
    3⤵
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-97-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1652-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1652-90-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1652-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1652-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1652-102-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1652-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1652-99-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1652-95-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1652-86-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1652-96-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2208-31-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/2208-30-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2208-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2208-24-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/2208-23-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2408-47-0x00000000021D0000-0x00000000021DC000-memory.dmp

Filesize
48KB

Download
memory/2408-78-0x00000000030D0000-0x00000000030DC000-memory.dmp

Filesize
48KB

Download
memory/2632-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2632-70-0x00000000003D0000-0x00000000003F9000-memory.dmp

Filesize
164KB

Download
memory/2632-50-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2632-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-71-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2904-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2904-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2904-33-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2904-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2904-64-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2904-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2904-55-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2928-84-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2928-80-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/2928-79-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing