remcos | 46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1

General

Target

46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
Size

1.4MB
MD5

fce3b3f12a6c86d94fdce2ebd141a580
SHA1

8d382f3f7232afcac714b6abbc754f333d745ce5
SHA256

46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1
SHA512

618c68713e9d2e90315906a4205823e51d2e7e4fba2ec00488e37551a4a4c71cbe99a0d1d9c603fdf4e0dd4c49bcf249d67fbeb22d5e7d669de009d1fa2f8187
SSDEEP

24576:zD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoD:zp7E+QrFUBgq2W

Score

10^/10

remcos host persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

sbietrcl.exesbietrcl.exe

pid process

2704 sbietrcl.exe
2432 sbietrcl.exe
Loads dropped DLL 1 IoCs

Processes:

46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe

pid process

2400 46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2704	sbietrcl.exe
2432	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sbietrcl.exe

description pid process target process

PID 2704 set thread context of 2432 2704 sbietrcl.exe sbietrcl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2704 set thread context of 2432	2704	sbietrcl.exe	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exesbietrcl.exe

pid	process
2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
2704	sbietrcl.exe
2704	sbietrcl.exe
2704	sbietrcl.exe
2704	sbietrcl.exe
2704	sbietrcl.exe
2704	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exesbietrcl.exe

description	pid	process
Token: SeDebugPrivilege	2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
Token: SeDebugPrivilege	2704	sbietrcl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sbietrcl.exe

pid process

2432 sbietrcl.exe

pid	process
2432	sbietrcl.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exesbietrcl.exe

description	pid	process	target process
PID 2400 wrote to memory of 2704	2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe	sbietrcl.exe
PID 2400 wrote to memory of 2704	2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe	sbietrcl.exe
PID 2400 wrote to memory of 2704	2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe	sbietrcl.exe
PID 2400 wrote to memory of 2704	2400	46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe
PID 2704 wrote to memory of 2432	2704	sbietrcl.exe	sbietrcl.exe

C:\Users\Admin\AppData\Local\Temp\46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46ca358d9fe7108e4a8a3b7973d11dee25eaacfb2fad3af178b9c3ff9e27e1a1_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81e1012831c37b854e2cdb242ef9b2ed

SHA1
312e6fd83bd9213b525690ccea16a77287a33d04

SHA256
91c714f41d9466c6202732a2c84236c02122e395aaf475a55240272ce8c748ad

SHA512
efe67b9fbebca3cacd1f6edf651596adc72df61e5b88435dd3b14b049798c834103a4b6b9a510fdf485901577496acc6aff386092316b06e469390bc13eacd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab450C.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Filesize
1.4MB

MD5
27b9f3719bb5152efbfb831f803c31b2

SHA1
b47267f6d09292e3aa9eaeae2ff648ff3acc20e6

SHA256
3971f971208e3fc732f96f7578201e00b388a3767297fcb2de7811ff72414626

SHA512
2b16a743c4e7a8bd55c8f7cf47b1a1cf33bc6306fa34739e89b6ce23ba5f7a47d90b0855e8a3d0fa32ad891879246fcb09aa7a23eea4d8cff2cae8ca5c3f58a9

Download Submit
memory/2400-1-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-11-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-12-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-30-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-0-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

Filesize
4KB

Download
memory/2432-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2432-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-49-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2432-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2704-62-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-31-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-40-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-41-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads