remcos | 494652a0db82440f7c9c2830b839805a5fdc24feb8e965141372376c294c1bc9

General

Target

497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa.exe
Size

803KB
MD5

dfa5d4b7b532d17aaee7837f83837e56
SHA1

10343686bec4f271cdb9f57816291f021cd721f0
SHA256

497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa
SHA512

74bc99f0e154abfc69d320cafe97604a9ddba30eeaee106b840b9ff28743bd6fa12cf98f2c158250894b2da1d4cdbcbabbccbf43aba68cc58e2a60b2fc8922c9
SSDEEP

12288:4YV6MorX7qzuC3QHO9FQVHPF51jgcEyaPZQ37ADKjPSNivVMWUq1bcQNim16CHB:XBXu9HGaVHSS3SKDvVXH62dxg

Score

10^/10

remcos remotehost discovery rat upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2BGC0K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\benting.vbs	benting.exe

Executes dropped EXE 1 IoCs

pid	Process
1436	benting.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3988-0-0x00000000005C0000-0x000000000077F000-memory.dmp	upx
behavioral2/files/0x000300000002327a-14.dat	upx
behavioral2/memory/1436-15-0x0000000000C60000-0x0000000000E1F000-memory.dmp	upx
behavioral2/memory/3988-17-0x00000000005C0000-0x000000000077F000-memory.dmp	upx
behavioral2/memory/1436-40-0x0000000000C60000-0x0000000000E1F000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1436-15-0x0000000000C60000-0x0000000000E1F000-memory.dmp	autoit_exe
behavioral2/memory/3988-17-0x00000000005C0000-0x000000000077F000-memory.dmp	autoit_exe
behavioral2/memory/1436-40-0x0000000000C60000-0x0000000000E1F000-memory.dmp	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	benting.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1436	3988	497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa.exe	87
PID 3988 wrote to memory of 1436	3988	497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa.exe	87
PID 3988 wrote to memory of 1436	3988	497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa.exe	87

C:\Users\Admin\AppData\Local\Temp\497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa.exe
"C:\Users\Admin\AppData\Local\Temp\497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\hepatoduodenostomy\benting.exe
  "C:\Users\Admin\AppData\Local\Temp\497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
6c2dfb64caae115684cb7ab3d6d485d8

SHA1
693ce76180590f8936ea71c6412b97b9903868dd

SHA256
75416cc436608b7dd43fc067a9a925235c342c58dae2b5f6a7507fcf8278bb0c

SHA512
534d05f3dbbe116790efeb8d80f03440e999f58e741464f5d67dddeaa32e18deb252616adbbb205568c0485b8d37c3327877f95e0cf033ea610b48e705a64b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\savager

Filesize
482KB

MD5
83774efdf39c8d5c3f15057665acea11

SHA1
0f03ee694baa8144e4c0eca715a22d718cdb41df

SHA256
3d883f57be91217631420299b45d3fb892f521bc76d4da4354ab194646c4256c

SHA512
583fc5eafe3886054bbee2d462a18693e2d29cbac3d830922e0631bef757d1d6c00425262b3466292779d3806f1c41711d297df81a0e2f1d48d69cb9f731e3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\syphilous

Filesize
29KB

MD5
7a91016af63268db84ed7dd43644664f

SHA1
a33732e73a3e532dff76aed5aa2ef499b7ece1a2

SHA256
3653ab75d26e909e863ff48e2fbdaa01ba1835a0245483a3a5f4d373063e4b97

SHA512
b2a0ca61f77ab4f35e7fd75d8191aa21dbbe5a1bd20b5aa2b79b600dcae3f174222f3b1a485fe30cf739eb3c419e29278f68d5cdaf6cbf883dd3f05c58523b62

Download Submit
C:\Users\Admin\AppData\Local\hepatoduodenostomy\benting.exe

Filesize
803KB

MD5
dfa5d4b7b532d17aaee7837f83837e56

SHA1
10343686bec4f271cdb9f57816291f021cd721f0

SHA256
497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa

SHA512
74bc99f0e154abfc69d320cafe97604a9ddba30eeaee106b840b9ff28743bd6fa12cf98f2c158250894b2da1d4cdbcbabbccbf43aba68cc58e2a60b2fc8922c9

Download Submit
memory/1436-40-0x0000000000C60000-0x0000000000E1F000-memory.dmp

Filesize
1.7MB

Download
memory/1436-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-15-0x0000000000C60000-0x0000000000E1F000-memory.dmp

Filesize
1.7MB

Download
memory/1436-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3988-11-0x00000000016F0000-0x00000000016F4000-memory.dmp

Filesize
16KB

Download
memory/3988-17-0x00000000005C0000-0x000000000077F000-memory.dmp

Filesize
1.7MB

Download
memory/3988-0-0x00000000005C0000-0x000000000077F000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing