remcos | cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386

General

Target

cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe
Size

135KB
MD5

16093aa035a9e340a9b8584fdd33cd3a
SHA1

778f72191c632cdeff09a7f31cfdd91c1517e312
SHA256

cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386
SHA512

dfb0e34fb4ba1c5e94e717f7174712661c6ff3d19d77a4d5229b8c402f614619114c622b3c6298802c1cfb260cb31533263dd37696ed211531b671bdb4cdbdbf
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKS:xPd4n/M+WLcilrpgGH/GwY87mVmIXi

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

detects Windows exceutables potentially bypassing UAC using eventvwr.exe 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2484-29-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2484-26-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2484-23-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2484-35-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2484-36-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2484-38-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2484-39-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2484-43-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Executes dropped EXE 2 IoCs

Processes:

wn2ra4ohzdr.exewn2ra4ohzdr.exe

pid process

2596 wn2ra4ohzdr.exe
2484 wn2ra4ohzdr.exe
Loads dropped DLL 1 IoCs

Processes:

cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe

pid process

2008 cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe

pid	process
2596	wn2ra4ohzdr.exe
2484	wn2ra4ohzdr.exe

pid	process
2008	cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wn2ra4ohzdr.exe

description pid process target process

PID 2596 set thread context of 2484 2596 wn2ra4ohzdr.exe wn2ra4ohzdr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wn2ra4ohzdr.exe

pid process

2484 wn2ra4ohzdr.exe

description	pid	process	target process
PID 2596 set thread context of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

pid	process
2484	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exewn2ra4ohzdr.exe

description	pid	process	target process
PID 2008 wrote to memory of 2596	2008	cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe	wn2ra4ohzdr.exe
PID 2008 wrote to memory of 2596	2008	cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe	wn2ra4ohzdr.exe
PID 2008 wrote to memory of 2596	2008	cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe	wn2ra4ohzdr.exe
PID 2008 wrote to memory of 2596	2008	cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2596 wrote to memory of 2484	2596	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

C:\Users\Admin\AppData\Local\Temp\cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe
"C:\Users\Admin\AppData\Local\Temp\cb28d8c9ef455ae65866e284f85b86f5c10da18de7ad2ada6a9510b58517c386.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
Filesize
135KB

MD5
183929b14dfba2ffeb9ac095b4f3f9da

SHA1
3d93294a9425ca6b4e08105c4eb8b2e15df744d3

SHA256
b634a5ba160d782858108a17575c6c0b606a10a2a65c5ece4f66194d0da54998

SHA512
c3a7cd9f201f0687b9fd876927bc3f5cf2cc9d2b05a77b10355afd2a240b916ea6fde04b2a7e4ec6079c23b578372984c9977cdccbdeae82f83c636e07640688

Download Submit
memory/2008-0-0x0000000000B10000-0x0000000000B38000-memory.dmp

Filesize
160KB

Download
memory/2008-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-2-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/2008-3-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/2008-13-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-35-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-38-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2484-36-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2596-14-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/2596-12-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-42-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-15-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads