remcos | b53cdf78114b979193e33a4be762b9c01dc1bc76e09750edb47b0fefe55bcc47

General

Target

b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
Size

1.5MB
MD5

b6bec0853953bafc210ceeeec5787660
SHA1

cf4990f7c4bc28c178b52ec6d5d62a9de3e314ad
SHA256

b53cdf78114b979193e33a4be762b9c01dc1bc76e09750edb47b0fefe55bcc47
SHA512

df676ed5468815a46a5300980e889370d7b9927db917ce06d71b942c268e445067c70da5dcfdc9430d3430fca9f44a58ccfeb499f3d235787f8d85a005281c52
SSDEEP

24576:mD39v74lfGQrFUspugRNJI2DJ53J/J/L56+JJJ+R:mp7E+QrFUBgq2o

Score

10^/10

remcos host persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

sbietrcl.exesbietrcl.exe

pid process

2624 sbietrcl.exe
2520 sbietrcl.exe
Loads dropped DLL 1 IoCs

Processes:

b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe

pid process

2328 b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2624	sbietrcl.exe
2520	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sbietrcl.exe

description pid process target process

PID 2624 set thread context of 2520 2624 sbietrcl.exe sbietrcl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2624 set thread context of 2520	2624	sbietrcl.exe	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exesbietrcl.exe

pid	process
2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
2624	sbietrcl.exe
2624	sbietrcl.exe
2624	sbietrcl.exe
2624	sbietrcl.exe
2624	sbietrcl.exe
2624	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exesbietrcl.exe

description pid process

Token: SeDebugPrivilege 2328 b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
Token: SeDebugPrivilege 2624 sbietrcl.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sbietrcl.exe

pid process

2520 sbietrcl.exe

description	pid	process
Token: SeDebugPrivilege	2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
Token: SeDebugPrivilege	2624	sbietrcl.exe

pid	process
2520	sbietrcl.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exesbietrcl.exe

description	pid	process	target process
PID 2328 wrote to memory of 2624	2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe	sbietrcl.exe
PID 2328 wrote to memory of 2624	2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe	sbietrcl.exe
PID 2328 wrote to memory of 2624	2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe	sbietrcl.exe
PID 2328 wrote to memory of 2624	2328	b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe
PID 2624 wrote to memory of 2520	2624	sbietrcl.exe	sbietrcl.exe

C:\Users\Admin\AppData\Local\Temp\b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b6bec0853953bafc210ceeeec5787660_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
340e1a60549192fe0ef003e2648464bd

SHA1
d40f01f6a3ebc9a86233b93a10cb7b1b5b87c228

SHA256
16a0f24187f48feec03ac5ada58d9c870e252132a6951519aa9e8a40ab51ee88

SHA512
cdeec9382d7cacf8749b55db0590099110c7487a35e3032af02a5a389185c780c419b5daf763a576520c2434b03e2d129fcb59d6d7ebac7ccbde215990007782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2D86.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Filesize
1.5MB

MD5
7034f22b5147c718dadbe52b241de456

SHA1
11d5408bc29332fccc9e48d3aa86fb71318d1a97

SHA256
3023089bf08bb6900a4843fc90b9787a4a998630d08407f4b540a474668fafa0

SHA512
a346e885807292785f1f360270b7a4e4c1495bba2d8f55bb782f5610c359bb7a693effaa6592760ff9bffae8153cecae9501bfc5d9d8283656180b6c4ab31595

Download Submit
memory/2328-1-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-11-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-12-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

Filesize
4KB

Download
memory/2328-30-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-49-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2520-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2624-63-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-32-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-31-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-42-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-41-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads