remcos | 1c94594347e097f2175e02dbeac9d319c6ef8f673188ff5dfcd81b303e07803f

General

Target

AWB 9869692024 Clearance Doc.exe
Size

742KB
MD5

be4cc819efcca915a682af25beb238de
SHA1

c169eb0ab2c50be64e06351363ea44b19839cb42
SHA256

1c94594347e097f2175e02dbeac9d319c6ef8f673188ff5dfcd81b303e07803f
SHA512

fc20220681ede15bde57ea5ebaec092629931585f436ed3e5e3e8ede333ea14453fcc63d6598292bfad6b3efe302c3597ceefa1695662eec2457630d611b65a8
SSDEEP

12288:RS4njtlFI1cX06F4EQWq4tvsRn/zE6w2FxU1QgUVEnSFV:c4njtlTk67q4tvsRn/HFatnSv

Score

10^/10

remcos benchao discovery rat

Malware Config

Extracted

Family

remcos

Botnet

benchao

C2

tochisglobal.ddns.net:6426

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9R4HLX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 7 IoCs

pid	Process
4740	AWB 9869692024 Clearance Doc.exe
4740	AWB 9869692024 Clearance Doc.exe
4740	AWB 9869692024 Clearance Doc.exe
4740	AWB 9869692024 Clearance Doc.exe
4740	AWB 9869692024 Clearance Doc.exe
4740	AWB 9869692024 Clearance Doc.exe
4740	AWB 9869692024 Clearance Doc.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3796	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4740	AWB 9869692024 Clearance Doc.exe
3796	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 3796	4740	AWB 9869692024 Clearance Doc.exe	95

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\koeberens.int	AWB 9869692024 Clearance Doc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\dioptral.ini	AWB 9869692024 Clearance Doc.exe
File opened for modification	C:\Windows\resources\0409\polymicrobial\Pappen33.mur	AWB 9869692024 Clearance Doc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWB 9869692024 Clearance Doc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4740	AWB 9869692024 Clearance Doc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3796	wab.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3796	4740	AWB 9869692024 Clearance Doc.exe	95
PID 4740 wrote to memory of 3796	4740	AWB 9869692024 Clearance Doc.exe	95
PID 4740 wrote to memory of 3796	4740	AWB 9869692024 Clearance Doc.exe	95
PID 4740 wrote to memory of 3796	4740	AWB 9869692024 Clearance Doc.exe	95
PID 4740 wrote to memory of 3796	4740	AWB 9869692024 Clearance Doc.exe	95

C:\Users\Admin\AppData\Local\Temp\AWB 9869692024 Clearance Doc.exe
"C:\Users\Admin\AppData\Local\Temp\AWB 9869692024 Clearance Doc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Program Files (x86)\windows mail\wab.exe
  "C:\Users\Admin\AppData\Local\Temp\AWB 9869692024 Clearance Doc.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
4bde4a3a91afbc9bc6109a1b537efcd0

SHA1
a673905ab9b100eed4f6d6c44c2bbd12c41bcb5f

SHA256
8ed2f5d3638d70500938e8a6fe16e5d24d3c9a45144959e019f1d8cc07144762

SHA512
24719271bc53ebc71494af9d7853c5ba28491e9853835c261b1734aa31fa8b300e838cb96b5501c05ac5c0f66c132da001cdd8e85b8419862d8b39af1657c370

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA605.tmp\LangDLL.dll

Filesize
5KB

MD5
232f16c1cb21335fbce6f78ddaf2458c

SHA1
1c5981b852b3b640c98547074bda081c38859c3f

SHA256
507df75c959e1c9a89febb3f5d5963539895d9a602f4e6ca7898079919a83352

SHA512
cb8fb45ffe04e759816cb931223aafa42c15e58f1b35717f59a14c665aa94b48c393ff1a18ac480165ab090fed9226111ae2c3f4e9aead413a105c6f15515227

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA605.tmp\System.dll

Filesize
12KB

MD5
d6f54d2cefdf58836805796f55bfc846

SHA1
b980addc1a755b968dd5799179d3b4f1c2de9d2d

SHA256
f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9

SHA512
ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db

Download Submit
C:\Users\Admin\AppData\Local\jonglrs.ini

Filesize
34B

MD5
e1d4b003063b31653a6595324fc561b5

SHA1
029ec032cc93d9f3fc056acef1ef2ad0e60535ef

SHA256
81a6b9a20bfb14e861456f381b0acae0cc4cc52d914824c347690a5ae7de2cff

SHA512
ae85e03e2d0e1f328537b90253f4d76debcfbf436133321de9602e613d72ec2bffe9e9aeebb39acdb2499257a98040631f797dac35dd5aa87e29d57d43572deb

Download Submit
memory/3796-60-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-65-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-40-0x0000000077558000-0x0000000077559000-memory.dmp

Filesize
4KB

Download
memory/3796-41-0x0000000077575000-0x0000000077576000-memory.dmp

Filesize
4KB

Download
memory/3796-42-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-47-0x00000000774D1000-0x00000000775F1000-memory.dmp

Filesize
1.1MB

Download
memory/3796-46-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-51-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-54-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-80-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-57-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-77-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-62-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-74-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-68-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/3796-71-0x00000000008F0000-0x0000000001B44000-memory.dmp

Filesize
18.3MB

Download
memory/4740-39-0x0000000074125000-0x0000000074126000-memory.dmp

Filesize
4KB

Download
memory/4740-37-0x00000000774D1000-0x00000000775F1000-memory.dmp

Filesize
1.1MB

Download
memory/4740-38-0x00000000774D1000-0x00000000775F1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing