remcos | dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651

General

Target

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
Size

1.6MB
MD5

25875e91131d7ed644c4b2587a78dd34
SHA1

672af46cf6363d259a2bb53efc127ad2e96bab5c
SHA256

dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651
SHA512

24930e7137707821698095609ce5c8e74e8fe86af8d407a8f80233946065359deb407502ad3fbdf07f9382826da98356046440042d711b8f13aff0f1b67d9e70
SSDEEP

24576:eD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjYahP:ep7E+QrFUBgq2B

Score

10^/10

remcos host persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2924	sbietrcl.exe
2632	sbietrcl.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 2632	2924	sbietrcl.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
2924	sbietrcl.exe
2924	sbietrcl.exe
2924	sbietrcl.exe
2924	sbietrcl.exe
2924	sbietrcl.exe
2924	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
Token: SeDebugPrivilege	2924	sbietrcl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2632	sbietrcl.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2924	1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe	28
PID 1680 wrote to memory of 2924	1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe	28
PID 1680 wrote to memory of 2924	1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe	28
PID 1680 wrote to memory of 2924	1680	dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe	28
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29
PID 2924 wrote to memory of 2632	2924	sbietrcl.exe	29

C:\Users\Admin\AppData\Local\Temp\dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe
"C:\Users\Admin\AppData\Local\Temp\dec1bcdae1ed8a3cd3446c79f40ff73fad9a4962b15d946ed1875ffff546c651.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f24b6d32397f08471febaf647ecc5ac3

SHA1
ae938430858cd1e2d4d5dcbbc5732bf680350fbb

SHA256
10e99d79996113cc3ae9bad37a0a358eda34321a0ae69d05573b0a4312428022

SHA512
366c2a68f1b609d54a95ed2d3dd81c8a545e03b302b6a3da925dcb103f24fb0f65c4057a178a54b0e84dca123467d869b9a1bcada0a76ebb75796de674844030

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab23B6.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Filesize
1.7MB

MD5
bb44908d5a5f8d96234ef503549c3037

SHA1
58ac92b63dd0ef9ad39fc2db88df5c7f0c54949e

SHA256
5323c876a576432ac0f569b5d150f22bfb7d58b6a7fc8b4734c55676b1f7bab5

SHA512
02f69ec9802df93222c279bc7a83ea4e6d7c16477c385b405a31aa666eda2621817237abb1ed978773949240a2407ed4bce039a74d3eda14eaf24802207f0526

Download Submit
memory/1680-1-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-2-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-12-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-13-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-30-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-0-0x00000000742F1000-0x00000000742F2000-memory.dmp

Filesize
4KB

Download
memory/2632-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-52-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-49-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2632-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2924-60-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-32-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-42-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-44-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-43-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-41-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads