remcos | 097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80

General

Target

097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80.exe
Size

136KB
MD5

0bdd320eb5daca168625278548095c47
SHA1

945e19805a764b5a40e682173c26bce74ec8ed9f
SHA256

097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80
SHA512

4d47856fcd95c3b50be8f7c0efd568f3f7af3d68e2b713f8bb88efd6c008b45781bccb92be80dd54debc2a241fabde1a8296075797676405989317c81e3b0117
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjK2:xPd4n/M+WLcilrpgGH/GwY87mVmIXG

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

detects Windows exceutables potentially bypassing UAC using eventvwr.exe 5 IoCs

resource	yara_rule
behavioral2/memory/4692-26-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral2/memory/4692-25-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral2/memory/4692-24-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral2/memory/4692-29-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral2/memory/4692-30-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80.exe

Executes dropped EXE 2 IoCs

pid	Process
4700	wn2ra4ohzdr.exe
4692	wn2ra4ohzdr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 4692	4700	wn2ra4ohzdr.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4692	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4700	220	097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80.exe	92
PID 220 wrote to memory of 4700	220	097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80.exe	92
PID 220 wrote to memory of 4700	220	097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80.exe	92
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95
PID 4700 wrote to memory of 4692	4700	wn2ra4ohzdr.exe	95

C:\Users\Admin\AppData\Local\Temp\097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80.exe
"C:\Users\Admin\AppData\Local\Temp\097f505b81e24c11b775c857e41c6bfde514588114a89354b24c74e478cacc80.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
  "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
    "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe

Filesize
136KB

MD5
4d68209677a162a5c34bc57d8170ac91

SHA1
fa85d670030dc8ae12fc13c52a32466e8c54a098

SHA256
f182d033cf6b5d84bf1779e23453b8466eb1c8e81296c120a91c844af1a70067

SHA512
44a972da505c594bcf45fc7ee1eae84115c458ba32913ee71da913954c918c5e96401517f94bd690bbae829eb221436eb6202f79518e568e99e048456a7f147c

Download Submit
memory/220-21-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/220-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/220-3-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/220-4-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/220-5-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/220-6-0x00000000056A0000-0x00000000056C0000-memory.dmp

Filesize
128KB

Download
memory/220-1-0x00000000009E0000-0x0000000000A08000-memory.dmp

Filesize
160KB

Download
memory/220-0-0x000000007514E000-0x000000007514F000-memory.dmp

Filesize
4KB

Download
memory/4692-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4692-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4700-22-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4700-20-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4700-34-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads