remcos | 6bda8394101554cfdc4f42dd2e5628f390fd09663571a8d080610aac270ff08b

Analysis

max time kernel
135s
max time network
150s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
27-01-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nahujtunnels.exe
Size

100KB
MD5

b413fee050bacbf831bc006f0414b6ca
SHA1

ef6aad6bc6443f73a991724355ed74d610b1409b
SHA256

6bda8394101554cfdc4f42dd2e5628f390fd09663571a8d080610aac270ff08b
SHA512

fe813018c1e4a57679c2a4c13e08025715b21ff6f247aab3406d1fc0dbe1d15d3069f13a39e4b3b0b6ad4e598cc71ab3ac990c9fccaf9eb94ec967172807850c
SSDEEP

3072:nhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+JP/P6Ervb:nhzOv2fM13jsIFSHNT7P/P6Qvb

Score

10^/10

remcos dlscord persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Dlscord

shall-someone.gl.at.ply.gg:60408

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
10
connect_interval
5
copy_file
Bin.exe
copy_folder
Factorio
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%SystemDrive%
keylog_crypt
true
keylog_file
driver.dat
keylog_flag
false
keylog_folder
keyboard drivers
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_bfpmypnbrt
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screen drivers
screenshot_path
%WinDir%\System32
screenshot_time
60
startup_value
Windows.Defender
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
4312	Bin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\""	nahujtunnels.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\""	Bin.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4312 set thread context of 3240	4312	Bin.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
596	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4312	Bin.exe
4312	Bin.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2088	216	nahujtunnels.exe	74
PID 216 wrote to memory of 2088	216	nahujtunnels.exe	74
PID 216 wrote to memory of 2088	216	nahujtunnels.exe	74
PID 2088 wrote to memory of 596	2088	cmd.exe	76
PID 2088 wrote to memory of 596	2088	cmd.exe	76
PID 2088 wrote to memory of 596	2088	cmd.exe	76
PID 2088 wrote to memory of 4312	2088	cmd.exe	77
PID 2088 wrote to memory of 4312	2088	cmd.exe	77
PID 2088 wrote to memory of 4312	2088	cmd.exe	77
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78
PID 4312 wrote to memory of 3240	4312	Bin.exe	78

C:\Users\Admin\AppData\Local\Temp\nahujtunnels.exe
"C:\Users\Admin\AppData\Local\Temp\nahujtunnels.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:596
- - C:\Factorio\Bin.exe
    "C:\Factorio\Bin.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Factorio\Bin.exe

Filesize
100KB

MD5
b413fee050bacbf831bc006f0414b6ca

SHA1
ef6aad6bc6443f73a991724355ed74d610b1409b

SHA256
6bda8394101554cfdc4f42dd2e5628f390fd09663571a8d080610aac270ff08b

SHA512
fe813018c1e4a57679c2a4c13e08025715b21ff6f247aab3406d1fc0dbe1d15d3069f13a39e4b3b0b6ad4e598cc71ab3ac990c9fccaf9eb94ec967172807850c

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
128B

MD5
3d4ed985141a1b6e13bfd6048ceed522

SHA1
e228d65c62b68bc7a25185a12c48ada0e1f23075

SHA256
607b36f26d1395f5459b1427ab993b9ec9e2c1ead7ca06ad4a074b6e3a2cd7e0

SHA512
2c1cec8c98b7b8be2627f19a9407ff83e60a893d3afb8300e37e4c9b67dabba4033b9d2d84657c91ccfffd4530a6ca263e9e66d9c9a8b114ad35f0713d7d19d0

Download Submit
memory/3240-9-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download