remcos | de735e333804dc362f671cd6b1baf5e2420f15b8c0fdf00aa444f29f8f1a5964

General

Target

Adro_ Documents.exe
Size

1.1MB
MD5

20f44cb3924e82e542ad4f61bb324f95
SHA1

45ab21418d6347345e30eaf1fa92016b5eaa2ebe
SHA256

de735e333804dc362f671cd6b1baf5e2420f15b8c0fdf00aa444f29f8f1a5964
SHA512

fe6202bec77a6c1fc4a3e3443c87d8be82770ec0a1441682378cae17d12f01a010bb0252e28598c1d3def04f8f28f71cf5f2c08a278af0afd48426d374ac30a8
SSDEEP

24576:CA0ReRHP4+ngiPzZPQgBt9o/1bIhTmOLa:CUd+gBWbIhaOW

Score

10^/10

remcos kc file persistence rat

Malware Config

Extracted

Family

remcos

Botnet

kc FILE

C2

91.223.3.151:4508

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6ZM3S3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

vbgxdxoK.pif

pid process

4184 vbgxdxoK.pif

pid	process
4184	vbgxdxoK.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Adro_ Documents.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Koxdxgbv = "C:\\Users\\Public\\Koxdxgbv.url"	Adro_ Documents.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Adro_ Documents.exe

description pid process target process

PID 3884 set thread context of 4184 3884 Adro_ Documents.exe vbgxdxoK.pif

description	pid	process	target process
PID 3884 set thread context of 4184	3884	Adro_ Documents.exe	vbgxdxoK.pif

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbgxdxoK.pif

pid process

4184 vbgxdxoK.pif

pid	process
4184	vbgxdxoK.pif

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Adro_ Documents.exe

description	pid	process	target process
PID 3884 wrote to memory of 2324	3884	Adro_ Documents.exe	extrac32.exe
PID 3884 wrote to memory of 2324	3884	Adro_ Documents.exe	extrac32.exe
PID 3884 wrote to memory of 2324	3884	Adro_ Documents.exe	extrac32.exe
PID 3884 wrote to memory of 4184	3884	Adro_ Documents.exe	vbgxdxoK.pif
PID 3884 wrote to memory of 4184	3884	Adro_ Documents.exe	vbgxdxoK.pif
PID 3884 wrote to memory of 4184	3884	Adro_ Documents.exe	vbgxdxoK.pif
PID 3884 wrote to memory of 4184	3884	Adro_ Documents.exe	vbgxdxoK.pif
PID 3884 wrote to memory of 4184	3884	Adro_ Documents.exe	vbgxdxoK.pif

C:\Users\Admin\AppData\Local\Temp\Adro_ Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Adro_ Documents.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Adro_ Documents.exe C:\\Users\\Public\\Libraries\\Koxdxgbv.PIF
2⤵
PID:2324

C:\Users\Public\Libraries\vbgxdxoK.pif
C:\Users\Public\Libraries\vbgxdxoK.pif
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
e1614eb6a1bbbf1bb5ece34273f9ea91

SHA1
21fe9f3925acc0fe9ae651e21ebb523f4e43ac47

SHA256
b76aa605f0d44c5182ea5770d968428580cacfb2d448b3e23c8222db2d324c3f

SHA512
7e52f9f4c37d5b81a077bdb2185cf339e77e3f808d4a28752c40dfbfa129df3a36a731edb7b0b7dd448f10f67a670b932e22474bb5867762c5f4d306814d4d55

Download Submit
C:\Users\Public\Libraries\vbgxdxoK.pif
Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
memory/3884-1-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3884-0-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4184-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-53-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-52-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-63-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-64-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4184-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads