remcos | f80b66065daf4e2d61961bb966301e17231ab8ac033f4ece7c612d3a5b66dbbd

General

Target

64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
Size

1.4MB
MD5

64cd0c75e14d02b9f423ad2533306d10
SHA1

744ffa6d05ce494fbe61ddcc42e60c060e165217
SHA256

f80b66065daf4e2d61961bb966301e17231ab8ac033f4ece7c612d3a5b66dbbd
SHA512

fc69d92e63d50c3e079f4144f3a9b03d20c0c41256ad777ed460b3bca46ba5aa67dcc7cf8969f8758a06103569b975e8a90b3b2ac8b38bef36a32b82a82af82f
SSDEEP

24576:kD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoY:kp7E+QrFUBgq21

Score

10^/10

remcos host persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

sbietrcl.exesbietrcl.exe

pid process

1928 sbietrcl.exe
4692 sbietrcl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1928	sbietrcl.exe
4692	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sbietrcl.exe

description pid process target process

PID 1928 set thread context of 4692 1928 sbietrcl.exe sbietrcl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1928 set thread context of 4692	1928	sbietrcl.exe	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exesbietrcl.exe

pid	process
2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
1928	sbietrcl.exe
1928	sbietrcl.exe
1928	sbietrcl.exe
1928	sbietrcl.exe
1928	sbietrcl.exe
1928	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exesbietrcl.exe

description pid process

Token: SeDebugPrivilege 2964 64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
Token: SeDebugPrivilege 1928 sbietrcl.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sbietrcl.exe

pid process

4692 sbietrcl.exe

description	pid	process
Token: SeDebugPrivilege	2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
Token: SeDebugPrivilege	1928	sbietrcl.exe

pid	process
4692	sbietrcl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exesbietrcl.exe

description	pid	process	target process
PID 2964 wrote to memory of 1928	2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe	sbietrcl.exe
PID 2964 wrote to memory of 1928	2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe	sbietrcl.exe
PID 2964 wrote to memory of 1928	2964	64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe
PID 1928 wrote to memory of 4692	1928	sbietrcl.exe	sbietrcl.exe

C:\Users\Admin\AppData\Local\Temp\64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\64cd0c75e14d02b9f423ad2533306d10_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Filesize
1.4MB

MD5
ba5a76ae5d7cec78370a67321643968f

SHA1
b37f8c821742cef570ff91f5ab5d3ce94c3c8cab

SHA256
563f7420299fefc48303ee4775ec52e94c500cbcfa967a0b01cf10b6375e716f

SHA512
70b4d947968bf14ac71abdd59c9814f31cf0d93f6fa8878bb6bf4af54e75138073334075f3102080d2992d7741531c227221f9800effc81defc48b53a73fe600

Download Submit
memory/1928-30-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-44-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-32-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-31-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-29-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2964-6-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2964-28-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2964-0-0x0000000074832000-0x0000000074833000-memory.dmp

Filesize
4KB

Download
memory/2964-5-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2964-2-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2964-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4692-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-36-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-40-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-37-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads