remcos | 3b6154ebe6f99baa90e7c7c2a73d47898eed72d548b90b32b916eca4f0c830fe

General

Target

639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
Size

1.4MB
MD5

639cfdfbff010fd8867a0511ee819750
SHA1

73d6e2c9c605eafb3ee260c047a83d69622a2c6a
SHA256

3b6154ebe6f99baa90e7c7c2a73d47898eed72d548b90b32b916eca4f0c830fe
SHA512

4541e3080e31e108d3027042b93e2b4d3facbbc83a088c07dd479dc2e6fd54ce282601755ce6bdd388e7f858f945170aa2fabf0b0d60636a01550b634b3c0bd4
SSDEEP

24576:BD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoA:Bp7E+QrFUBgq29

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

sbietrcl.exesbietrcl.exe

pid process

2728 sbietrcl.exe
2200 sbietrcl.exe
Loads dropped DLL 1 IoCs

Processes:

639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe

pid process

1548 639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe

pid	process
2728	sbietrcl.exe
2200	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sbietrcl.exe

description pid process target process

PID 2728 set thread context of 2200 2728 sbietrcl.exe sbietrcl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2728 set thread context of 2200	2728	sbietrcl.exe	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exesbietrcl.exe

pid	process
1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
2728	sbietrcl.exe
2728	sbietrcl.exe
2728	sbietrcl.exe
2728	sbietrcl.exe
2728	sbietrcl.exe
2728	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exesbietrcl.exe

description pid process

Token: SeDebugPrivilege 1548 639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
Token: SeDebugPrivilege 2728 sbietrcl.exe

description	pid	process
Token: SeDebugPrivilege	1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
Token: SeDebugPrivilege	2728	sbietrcl.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exesbietrcl.exe

description	pid	process	target process
PID 1548 wrote to memory of 2728	1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe	sbietrcl.exe
PID 1548 wrote to memory of 2728	1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe	sbietrcl.exe
PID 1548 wrote to memory of 2728	1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe	sbietrcl.exe
PID 1548 wrote to memory of 2728	1548	639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe
PID 2728 wrote to memory of 2200	2728	sbietrcl.exe	sbietrcl.exe

C:\Users\Admin\AppData\Local\Temp\639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\639cfdfbff010fd8867a0511ee819750_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
3⤵
- Executes dropped EXE
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5dd0bb12158bd660390c45f144e0f42d

SHA1
93ffa63e87144a6a347167d3fa2177a7d00c3fde

SHA256
0a0abe508e054efe8185eb50a5dc82d6939c3ee13bc04c7b89b475ffa80b8af9

SHA512
c005fe4810c73c14420c7151a15a8a9020850a56c8f8c8bfa68201fc738820b5781df3782a3ca4bd341db17e50fa5bf1128a00616e66de26e2d657466d9ba041

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4F68.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Filesize
1.4MB

MD5
18b10a2efe5b32d465635b8ad125bfd8

SHA1
befef93e8612113dc0571cf4e154219efb7cfaf3

SHA256
36eda391d33a04d38dbf6cb7e31d03c218c51439951b7f9409e6e9ee88409d70

SHA512
f6ac30db503f8881f46b58046244fdf053848cc16be7fe97ba393286b8e61b512b010f4822adc9a3a750bdcaec0d0871786d4ccc84fee421450a7bc472cd9ae2

Download Submit
memory/1548-1-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-11-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-12-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-30-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-0-0x0000000074631000-0x0000000074632000-memory.dmp

Filesize
4KB

Download
memory/2200-51-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/2200-43-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/2200-57-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/2200-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2200-49-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/2200-47-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/2200-45-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/2728-31-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-42-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-41-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-32-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-60-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads