remcos | 7c8d1f5e542c876e083d5356b803f94b96803545e441b4b7c260ed1de52da389

General

Target

RFQ ETMT 009462900_pdf(58kb).exe
Size

499KB
MD5

8db92bb4d4f088c378b9c430b72ac827
SHA1

41cc52c3b467aac55ff57ad9d1fd7223fef7ee70
SHA256

2fb6f8d101edc0b6a053d332cb32d0134f5c66629970cf411f34f437928b87a4
SHA512

2fe47dd6cc30575f8ec65ee5287cc7e345888efba328fff73a339bbe7e748d588186763c5b3d69cd7ca3c2a40a047cac4d755591a29c690bbb01db71a97fbd09
SSDEEP

12288:YkSnWVfzb9ybh95rH9P2VtHO8LVS6krP6qwFkOfWeuteV8aV:YJnefzb0toVtHvA3vleK0

Score

10^/10

remcos fresh persistence rat

Malware Config

Extracted

Family

remcos

Botnet

FRESH

C2

igw.myfirewall.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
outlook
mouse_option
false
mutex
RmcbWqr-YNNHMH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2352	wnnqrg.exe
2768	wnnqrg.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	RFQ ETMT 009462900_pdf(58kb).exe
2352	wnnqrg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\nnwsscxhhq = "C:\\Users\\Admin\\AppData\\Roaming\\irrbwwg\\plluqqyiie.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnqrg.exe\" "	wnnqrg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2768	2352	wnnqrg.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2352	wnnqrg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	wnnqrg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2352	2380	RFQ ETMT 009462900_pdf(58kb).exe	28
PID 2380 wrote to memory of 2352	2380	RFQ ETMT 009462900_pdf(58kb).exe	28
PID 2380 wrote to memory of 2352	2380	RFQ ETMT 009462900_pdf(58kb).exe	28
PID 2380 wrote to memory of 2352	2380	RFQ ETMT 009462900_pdf(58kb).exe	28
PID 2352 wrote to memory of 2768	2352	wnnqrg.exe	29
PID 2352 wrote to memory of 2768	2352	wnnqrg.exe	29
PID 2352 wrote to memory of 2768	2352	wnnqrg.exe	29
PID 2352 wrote to memory of 2768	2352	wnnqrg.exe	29
PID 2352 wrote to memory of 2768	2352	wnnqrg.exe	29

C:\Users\Admin\AppData\Local\Temp\RFQ ETMT 009462900_pdf(58kb).exe
"C:\Users\Admin\AppData\Local\Temp\RFQ ETMT 009462900_pdf(58kb).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe
  "C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe
    "C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\outlook\logs.dat

Filesize
144B

MD5
5188d27ffff99bdc58485206495cccb5

SHA1
4f87781c32dbb6fc3905d77b583499d910a02413

SHA256
49e24c7305913a2e9c00e2432e4926059195dd955a6719e7adc137f6d68c3b76

SHA512
130457f539f831ba84d1de5c4a3de67c8e205045faa98cbc6485bb91e0d666abcab7bc3d88c9c2096d9908a18c80da752a5508123a9f7d52470e46f940a1f9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjuhibpwa.mlg

Filesize
319KB

MD5
a7388208f7d6cba2b8e5464e593ac087

SHA1
8d7f91be4d0daba4e86fb45a99304466de4de9b5

SHA256
94cf06f826a1c5d2b4dc14cecb1bd93595af8941c67320cebdbad037c93e0ce0

SHA512
bc342b3256f9a6f64a43b448ee09753b59d9b34819aaa3d743f8f73860fb729f604a7da4a54dbf159875d03ad775c481a44e4af16ba75115735893524fe206bf

Download Submit
\Users\Admin\AppData\Local\Temp\wnnqrg.exe

Filesize
62KB

MD5
ad65f79ab6bd2884461a198e1d77ef76

SHA1
f7ac4388da64c17f92f0c10803de57abad060bb9

SHA256
c545d7f6a0c7da83bdabf56728c240bca8dc9f86416123efde1a3e60d87626ce

SHA512
7da047e3ce0ffe6d01e603092f12acfa98499b0407ba6b328acd94eb7894f7009163804b6fd645ae6b6d0deb98091cacb71b53c0585381fdb962a205e6a8440e

Download Submit
memory/2352-7-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2768-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2768-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads