remcos | bd7c06c6abb5fffe264a20b08aca73e7da11f2450cc8b9ecc63591d41ef83ccc

General

Target

4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe
Size

1.3MB
MD5

4aebbec0edebbe61d2245514793ab647
SHA1

cba8ca7e8f7d1160dd041de408375fe72f6e4edb
SHA256

bd7c06c6abb5fffe264a20b08aca73e7da11f2450cc8b9ecc63591d41ef83ccc
SHA512

b1e2a1a1e71c57a0b84ea9f22ecd373b5fdfc2f4bc76ed9a94bdea56d58353cc1ac6e63d91313b9515edf468a99468e6f9b483f0e8fc65766e30af35b9a46c63
SSDEEP

24576:39UKkwSAggCSmwqiv7ltfjoHR/k+rXfaEKP7CHx9tCmONcmNdc:t8w9rCHX2l18HR/nrvaN7gfgg9

Score

10^/10

remcos zgrat remotehost rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

C2

cacgroups.hopto.org:3927

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-ANIYHH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2384-2-0x00000000010E0000-0x0000000001228000-memory.dmp	family_zgrat_v1

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

RegAsm.exe

pid process

2704 RegAsm.exe
Loads dropped DLL 2 IoCs

Processes:

4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exeRegAsm.exe

pid process

2384 4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe
2704 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe

description pid process target process

PID 2384 set thread context of 2704 2384 4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe RegAsm.exe

pid	process
2704	RegAsm.exe

description	pid	process	target process
PID 2384 set thread context of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe

pid	process
2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe
2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe
2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2384 4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2704 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe

pid	process
2704	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe

description	pid	process	target process
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe
PID 2384 wrote to memory of 2704	2384	4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4aebbec0edebbe61d2245514793ab647_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
534B

MD5
dc7853dc2f9fbed6647df1c39817ef03

SHA1
2b845deee5f0489a9623503e5edf9fb36cb49074

SHA256
9f64e23ff868a3a69387e9b035a38b48106384e4eab81e2af845baa855ceb625

SHA512
5abdfed9bdb41e70bcf6803147bc528ade90b787de336e7409f200be50f1479058c367e89cf48a0e9340ee54786d4b9dca82c8c5a1aa11c5f4412601f128263a

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/2384-32-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-5-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2384-6-0x0000000000BA0000-0x0000000000BF0000-memory.dmp

Filesize
320KB

Download
memory/2384-2-0x00000000010E0000-0x0000000001228000-memory.dmp

Filesize
1.3MB

Download
memory/2384-0-0x0000000001250000-0x00000000013A8000-memory.dmp

Filesize
1.3MB

Download
memory/2384-3-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-12-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-10-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-18-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-14-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-42-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-28-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-24-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-31-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-36-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-37-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-39-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-41-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-48-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2704-20-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads