remcos | 079d051b9169f0fad48d1a00b45acbac6da72589bec347eb86b3ba5471a504c0

General

Target

Customer Advisory - HS Code - Maersk Shipping/Customer Advisory - HS Code - Maersk Shipping.doc.exe
Size

1.3MB
MD5

a55159c7edc073d452e4fef92d247997
SHA1

d239b25b2a33a64134f11d2d2ac5c7a89e186a29
SHA256

61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d
SHA512

5189f51ce0f90a71e86e53ea23d564d796536c45db8c8f4a11e75947bb4fc0d2489c83899e4a8e8b81504007ccad7a05dc8ac02b0d47a52ea565396a27c5e8b3
SSDEEP

24576:AP+g7Wy3xfMZKdcKtTjbJ4jEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbIEEEEEEEEEEEEEEEEEEEE+

Score

10^/10

remcos fmglobal collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

FmGlobal

C2

royaldachpharmacy.duckdns.org:6395

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
services.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GRT17F
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3560-44-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/3560-40-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4352-49-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4352-56-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5004-42-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5004-48-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3560-44-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/5004-41-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3560-40-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4352-49-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4352-56-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Customer Advisory - HS Code - Maersk Shipping.doc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Customer Advisory - HS Code - Maersk Shipping.doc.exe

Executes dropped EXE 4 IoCs

Processes:

services.exeservices.exeservices.exeservices.exe

pid process

2600 services.exe
4352 services.exe
3560 services.exe
5004 services.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2600	services.exe
4352	services.exe
3560	services.exe
5004	services.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

services.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	services.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Customer Advisory - HS Code - Maersk Shipping.doc.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eoosrcxm = "C:\\Users\\Public\\Eoosrcxm.url"	Customer Advisory - HS Code - Maersk Shipping.doc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-GRT17F = "\"C:\\ProgramData\\Remcos\\services.exe\""	Customer Advisory - HS Code - Maersk Shipping.doc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-GRT17F = "\"C:\\ProgramData\\Remcos\\services.exe\""	Customer Advisory - HS Code - Maersk Shipping.doc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-GRT17F = "\"C:\\ProgramData\\Remcos\\services.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-GRT17F = "\"C:\\ProgramData\\Remcos\\services.exe\""	services.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

services.exe

description	pid	process	target process
PID 2600 set thread context of 4352	2600	services.exe	services.exe
PID 2600 set thread context of 3560	2600	services.exe	services.exe
PID 2600 set thread context of 5004	2600	services.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	50	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

services.exeservices.exe

pid process

5004 services.exe
5004 services.exe
4352 services.exe
4352 services.exe
4352 services.exe
4352 services.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

services.exe

pid process

2600 services.exe
2600 services.exe
2600 services.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

services.exe

description pid process

Token: SeDebugPrivilege 5004 services.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

services.exe

pid process

2600 services.exe

pid	process
5004	services.exe
5004	services.exe
4352	services.exe
4352	services.exe
4352	services.exe
4352	services.exe

pid	process
2600	services.exe
2600	services.exe
2600	services.exe

description	pid	process
Token: SeDebugPrivilege	5004	services.exe

pid	process
2600	services.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Customer Advisory - HS Code - Maersk Shipping.doc.exeservices.exe

description	pid	process	target process
PID 3032 wrote to memory of 3664	3032	Customer Advisory - HS Code - Maersk Shipping.doc.exe	extrac32.exe
PID 3032 wrote to memory of 3664	3032	Customer Advisory - HS Code - Maersk Shipping.doc.exe	extrac32.exe
PID 3032 wrote to memory of 3664	3032	Customer Advisory - HS Code - Maersk Shipping.doc.exe	extrac32.exe
PID 3032 wrote to memory of 2600	3032	Customer Advisory - HS Code - Maersk Shipping.doc.exe	services.exe
PID 3032 wrote to memory of 2600	3032	Customer Advisory - HS Code - Maersk Shipping.doc.exe	services.exe
PID 3032 wrote to memory of 2600	3032	Customer Advisory - HS Code - Maersk Shipping.doc.exe	services.exe
PID 2600 wrote to memory of 4352	2600	services.exe	services.exe
PID 2600 wrote to memory of 4352	2600	services.exe	services.exe
PID 2600 wrote to memory of 4352	2600	services.exe	services.exe
PID 2600 wrote to memory of 3560	2600	services.exe	services.exe
PID 2600 wrote to memory of 3560	2600	services.exe	services.exe
PID 2600 wrote to memory of 3560	2600	services.exe	services.exe
PID 2600 wrote to memory of 5004	2600	services.exe	services.exe
PID 2600 wrote to memory of 5004	2600	services.exe	services.exe
PID 2600 wrote to memory of 5004	2600	services.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\Customer Advisory - HS Code - Maersk Shipping\Customer Advisory - HS Code - Maersk Shipping.doc.exe
"C:\Users\Admin\AppData\Local\Temp\Customer Advisory - HS Code - Maersk Shipping\Customer Advisory - HS Code - Maersk Shipping.doc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Customer Advisory - HS Code - Maersk Shipping\Customer Advisory - HS Code - Maersk Shipping.doc.exe C:\\Users\\Public\\Libraries\\Eoosrcxm.PIF
2⤵
PID:3664

C:\ProgramData\Remcos\services.exe
"C:\ProgramData\Remcos\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

C:\ProgramData\Remcos\services.exe
C:\ProgramData\Remcos\services.exe /stext "C:\Users\Admin\AppData\Local\Temp\yonqtuxmejcuyhqiggn"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\ProgramData\Remcos\services.exe
C:\ProgramData\Remcos\services.exe /stext "C:\Users\Admin\AppData\Local\Temp\iqsiumifsruzinemxqawbt"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:3560

C:\ProgramData\Remcos\services.exe
C:\ProgramData\Remcos\services.exe /stext "C:\Users\Admin\AppData\Local\Temp\klybveshgzmelbaqgbvymglvl"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat
Filesize
144B

MD5
3bd4d7d73192c86dfe83a2f73210a959

SHA1
e4178e8f3a4c7dd5c20b84ce9c68d0aa4a704a7a

SHA256
4f8ce4b6851781b284c86141704611ce0bdf6282265dad557f0bb1356f5cf69e

SHA512
ea3d623290ccd9b63c202c3728a7763c85083909c9c7d695bdaf402e8ba9977a202808891f79323e149b023b1ab792288d606eb3f99461796bce68aa8002e61a

Download Submit
C:\ProgramData\Remcos\services.exe
Filesize
1.3MB

MD5
a55159c7edc073d452e4fef92d247997

SHA1
d239b25b2a33a64134f11d2d2ac5c7a89e186a29

SHA256
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d

SHA512
5189f51ce0f90a71e86e53ea23d564d796536c45db8c8f4a11e75947bb4fc0d2489c83899e4a8e8b81504007ccad7a05dc8ac02b0d47a52ea565396a27c5e8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yonqtuxmejcuyhqiggn
Filesize
4KB

MD5
a35b8711bea28d54fb7a350adceb3f76

SHA1
5872d7a95a74ec6de08194283027fcf2cdb96390

SHA256
a90449e696cb37fa289ab8dcd0888734c74d0b61273231a0ce0e93adfd2d8137

SHA512
d997e0ace25eff648f16395a4771402465b39fa059d3b0f36efbd743c691bf4308c58d5585e3aebc63c206d18d01edf46f14b0cb5cffe6f1d5bf9132d76d9210

Download Submit
memory/2600-62-0x0000000045F20000-0x0000000045F39000-memory.dmp

Filesize
100KB

Download
memory/2600-61-0x0000000045F20000-0x0000000045F39000-memory.dmp

Filesize
100KB

Download
memory/2600-15-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-18-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-19-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-20-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-21-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-22-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-106-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-26-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-84-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-83-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-73-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-72-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-63-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-58-0x0000000045F20000-0x0000000045F39000-memory.dmp

Filesize
100KB

Download
memory/2600-14-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2600-13-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2600-23-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/2600-105-0x000000002DB00000-0x000000002EB00000-memory.dmp

Filesize
16.0MB

Download
memory/3032-0-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/3560-31-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3560-36-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3560-40-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3560-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3560-44-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4352-43-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4352-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4352-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4352-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4352-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5004-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5004-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5004-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5004-45-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/5004-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5004-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads