remcos | 7c8d1f5e542c876e083d5356b803f94b96803545e441b4b7c260ed1de52da389

General

Target

RFQ ETMT 009462900_pdf(58kb).exe
Size

499KB
MD5

8db92bb4d4f088c378b9c430b72ac827
SHA1

41cc52c3b467aac55ff57ad9d1fd7223fef7ee70
SHA256

2fb6f8d101edc0b6a053d332cb32d0134f5c66629970cf411f34f437928b87a4
SHA512

2fe47dd6cc30575f8ec65ee5287cc7e345888efba328fff73a339bbe7e748d588186763c5b3d69cd7ca3c2a40a047cac4d755591a29c690bbb01db71a97fbd09
SSDEEP

12288:YkSnWVfzb9ybh95rH9P2VtHO8LVS6krP6qwFkOfWeuteV8aV:YJnefzb0toVtHvA3vleK0

Score

10^/10

remcos fresh persistence rat

Malware Config

Extracted

Family

remcos

Botnet

FRESH

C2

igw.myfirewall.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
outlook
mouse_option
false
mutex
RmcbWqr-YNNHMH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
4848	wnnqrg.exe
5044	wnnqrg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnwsscxhhq = "C:\\Users\\Admin\\AppData\\Roaming\\irrbwwg\\plluqqyiie.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnqrg.exe\" "	wnnqrg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 5044	4848	wnnqrg.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4848	wnnqrg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5044	wnnqrg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 4848	656	RFQ ETMT 009462900_pdf(58kb).exe	91
PID 656 wrote to memory of 4848	656	RFQ ETMT 009462900_pdf(58kb).exe	91
PID 656 wrote to memory of 4848	656	RFQ ETMT 009462900_pdf(58kb).exe	91
PID 4848 wrote to memory of 5044	4848	wnnqrg.exe	93
PID 4848 wrote to memory of 5044	4848	wnnqrg.exe	93
PID 4848 wrote to memory of 5044	4848	wnnqrg.exe	93
PID 4848 wrote to memory of 5044	4848	wnnqrg.exe	93

C:\Users\Admin\AppData\Local\Temp\RFQ ETMT 009462900_pdf(58kb).exe
"C:\Users\Admin\AppData\Local\Temp\RFQ ETMT 009462900_pdf(58kb).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe
  "C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe
    "C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\outlook\logs.dat

Filesize
144B

MD5
0bc6b06160b47ba52d489714c171291f

SHA1
003d0a0679e93274432a5a436de3d384c86e27a4

SHA256
c8c7bab98994542323a9ab693cc48c20eb7b80afe802811fff65bbd9e5fd068c

SHA512
2a7a3135beb4f1d87b5aef70ee25258be2fe744b22e7bdf0981a09a47ffde27c59f3b3adfb23244d49b1ecb286a903d47fee0d2267583ec3cc34e2d5e9ffd548

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjuhibpwa.mlg

Filesize
377KB

MD5
623680efd11f6381a87f51e4e1c6c633

SHA1
bef582a13edae1bcd237e9c54f739956cb8fbd74

SHA256
54721adedaed24dca72d87cae7f89dbff914165ca61c0ec4fa0a727a6e5609ea

SHA512
35b94d8fd18a750b530f9905cd7257d674d0b844e972e8c6b713a74d4f4ce0483a209671b2bd16f2cd16a747431b324cce9944746b040177cf918eb8e4f2cbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe

Filesize
62KB

MD5
ad65f79ab6bd2884461a198e1d77ef76

SHA1
f7ac4388da64c17f92f0c10803de57abad060bb9

SHA256
c545d7f6a0c7da83bdabf56728c240bca8dc9f86416123efde1a3e60d87626ce

SHA512
7da047e3ce0ffe6d01e603092f12acfa98499b0407ba6b328acd94eb7894f7009163804b6fd645ae6b6d0deb98091cacb71b53c0585381fdb962a205e6a8440e

Download Submit
memory/4848-6-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/5044-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5044-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads