remcos | 8a840c1ec9f198f8df3bfb5854cb229eb83fb854371d70165a4180f79f0b03e9

General

Target

19cc090a3bf272b75ae530b364ba2a40_NEIKI.exe
Size

1.4MB
MD5

19cc090a3bf272b75ae530b364ba2a40
SHA1

dd91ebd739a873b4547b26848e356c4435a71d59
SHA256

8a840c1ec9f198f8df3bfb5854cb229eb83fb854371d70165a4180f79f0b03e9
SHA512

b086fa38be4bfecba42da86f539bc28a39c2b0487b5d22f759f5cd6c1a150d069ee01dd2dd65805964f8b2afb58190b321d574d193c58de44f53a7a8ee556216
SSDEEP

24576:JAOcZ5p4SkOmHbzVzl2XVAmv1RiYd1XOI5dtNBVQ70M/iY:jPSkvl2FAmdRiYXOGXNjQ70MKY

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

toornavigator.sytes.net:19888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
0101010101010101-LYMK6O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
1736	lcxbphe.exe

Loads dropped DLL 1 IoCs

pid	Process
1116	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_32\\lcxbphe.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1_32\\pskw.exe"	lcxbphe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 1804	1736	lcxbphe.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1116	2904	19cc090a3bf272b75ae530b364ba2a40_NEIKI.exe	28
PID 2904 wrote to memory of 1116	2904	19cc090a3bf272b75ae530b364ba2a40_NEIKI.exe	28
PID 2904 wrote to memory of 1116	2904	19cc090a3bf272b75ae530b364ba2a40_NEIKI.exe	28
PID 2904 wrote to memory of 1116	2904	19cc090a3bf272b75ae530b364ba2a40_NEIKI.exe	28
PID 1116 wrote to memory of 1736	1116	wscript.exe	29
PID 1116 wrote to memory of 1736	1116	wscript.exe	29
PID 1116 wrote to memory of 1736	1116	wscript.exe	29
PID 1116 wrote to memory of 1736	1116	wscript.exe	29
PID 1116 wrote to memory of 1736	1116	wscript.exe	29
PID 1116 wrote to memory of 1736	1116	wscript.exe	29
PID 1116 wrote to memory of 1736	1116	wscript.exe	29
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30
PID 1736 wrote to memory of 1804	1736	lcxbphe.exe	30

C:\Users\Admin\AppData\Local\Temp\19cc090a3bf272b75ae530b364ba2a40_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\19cc090a3bf272b75ae530b364ba2a40_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" womltgeail-hgsw.bmp.vbe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\1_32\lcxbphe.exe
    "C:\Users\Admin\AppData\Local\Temp\1_32\lcxbphe.exe" pskw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1_32\lcxbphe.exe

Filesize
893KB

MD5
462a4f5990d051cf551df67b4f82dcba

SHA1
ec42cb631837242abfad659cf5719a0481b0216c

SHA256
deb713d152bb015a641d917ac466cbcd63d7cdf5e8781cfe7e26b676161d2f38

SHA512
96b1e3c8b2e6a857cc5675cf8944f4d3389526ff7407a2250c3fbb424761cf80c812d6dda0cf966d66df905edaa29cfe697f52e84da3f4d55a09f5839693baf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_32\mtmxeeqs.emc

Filesize
938KB

MD5
ea4e57147ea1e825a72496ba1e921cf3

SHA1
5b193a92faf2c1ac84220c25fd46a97fb8823d03

SHA256
ba3a64f63fc1aa802fd65b5d8a13012e35b87828266a8c1861743902374de352

SHA512
cf9467d644636035b7ff7ca34df04b8a9b4d34ccdb7fee320a0a180fa1f62054cefca0a6f17c6933344f9edcaa8041b90c3ff0575a55600ce1ff0fab784d7c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_32\njtoembx.exe

Filesize
56KB

MD5
b0e10656523c515616947971a5268b41

SHA1
70db4460ccae00a17c92c67bd3d9df2aa1c98974

SHA256
bb488f94e33b85a86475c7eac31d3ddbf7533b41aa085dcd34b15b109a180a8e

SHA512
d788c98e1d812bdb222da3e825c02127ff2e80eaebcbbc850013d06524b402c219d633802d345a5835af2d02ae9f61de508161af5bd2e9107e89272567a96dbd

Download Submit
C:\Users\Admin\AppData\Local\temp\1_32\womltgeail-hgsw.bmp.vbe

Filesize
59KB

MD5
0cd0d8316d5d26919a46d0f1a3f692cb

SHA1
36fe1435a4d9de2ad73a50f2127fc0d87529c1b6

SHA256
6462ba009541f2f324479d779ecb7b8245248d8f479cea39c0670b21062c26c9

SHA512
01b2ebfedc65e0db46071022d2522d8e4c417b4fbdece27a3d141410171abb9481371ff83211fa70ad4a3d7f7ebffb10ea0b1807805fde873b420580024970de

Download Submit
memory/1804-147-0x0000000000360000-0x000000000090A000-memory.dmp

Filesize
5.7MB

Download
memory/1804-151-0x0000000000360000-0x000000000090A000-memory.dmp

Filesize
5.7MB

Download
memory/1804-152-0x0000000000360000-0x000000000090A000-memory.dmp

Filesize
5.7MB

Download
memory/1804-150-0x0000000000360000-0x000000000090A000-memory.dmp

Filesize
5.7MB

Download
memory/1804-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads