remcos | e3a690718615cf8bf5414c097942ecf76b2d294801381848c140ab909b0aed63

General

Target

quotation.exe
Size

1.3MB
MD5

347e851f26cedb5a5ab9eebb2064a32b
SHA1

ed45d95c46b594eaa6c752b492bdadabe65e35f0
SHA256

3ee5a0f95d5d8da1deb9757d957b519367b4850f1716a6bf1fb1129e385a007f
SHA512

fc41e6ea9c2f1002d89f82faeb3901b130087aa8528004f1b2545c8ba620309cb84a63b20fbf08ee133e6a3386f2d8dc24b65b576f29be887a6309efcef63f8d
SSDEEP

24576:mqDEvCTbMWu7rQYlBQcBiT6rprG8amDw9qlGZg3LMf3gPCTGE7F2F/xke:mTvC/MTQYxsWR7amDv8FtKk

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

23.95.235.18:2557

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-E0JKXE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.vbs	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
872	chrome.exe
4672	chrome.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023437-14.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3120	quotation.exe
3120	quotation.exe
872	chrome.exe
872	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3120	quotation.exe
3120	quotation.exe
872	chrome.exe
872	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 872	3120	quotation.exe	87
PID 3120 wrote to memory of 872	3120	quotation.exe	87
PID 3120 wrote to memory of 872	3120	quotation.exe	87
PID 872 wrote to memory of 4672	872	chrome.exe	88
PID 872 wrote to memory of 4672	872	chrome.exe	88
PID 872 wrote to memory of 4672	872	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\quotation.exe
"C:\Users\Admin\AppData\Local\Temp\quotation.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\directory\chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\quotation.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\directory\chrome.exe
    "C:\Users\Admin\AppData\Local\directory\chrome.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autAEED.tmp

Filesize
399KB

MD5
d2d44686e0bc5bd11aa72ff1a2bad604

SHA1
6dcf2641b47d274c0103b649915cf1a322b8f35c

SHA256
f28a8e2f1415306e9785e8d2893c66748f2756665382e84bdc7001e39fdc34f5

SHA512
683e3e556d4ee646126d4412425236fccafb309219d7a21a8e9bdf3924152519074b037e0a01f26cb8477a2312b61bea12f67bfc3975a7a8d6431d4b9cfa9a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\autAF0D.tmp

Filesize
42KB

MD5
fd1dd846c22094358d1bd3e1d9a78e59

SHA1
9c3311b8c9d0312a6100bb6c366ae3b3ee5a6a23

SHA256
ac0bc26c85e2a4f7c65fdeb91690dd22a3454ce9ce7da165eb0b8d860c733b0a

SHA512
6fc71b2e992a35bbb69cfec413ef5e3693bb1420e02a8b16187fc083f753347d516813ce666c36985c1ca083f26a2462bb102bed2daf51094f1ce593156ceb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\bankrupture

Filesize
483KB

MD5
37b9493a4bbd84adfdec40b1be5a1613

SHA1
543bd8b58ed60ee9bc9f6b41eeec28063703c2c8

SHA256
9c2a3ba8cf516812d6aebd5f2c723b3863613dce841a805cdf40423e9ea3e26d

SHA512
81aebaea8a1b0ea51491a2b4d8111820a0aa3281783383d646f0f924eb7d79b007f97a5145cfde172beca044141a4fe15fbab7a8d9456e62625ec656fb1bbbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\renowner

Filesize
84KB

MD5
bbed02ae545f466bc86629f4026b46e7

SHA1
3f184cf1eb77083b850fd4281662dcd3f8fbf74b

SHA256
fec372f0a7083817332ab1545a1bcb850cebcd3c3f018c25b0ec69347fbb2c4a

SHA512
33175064effcf7c0c7623f38a0a7d4ee63e7f2c506eb2beac3a7e0485fa20bbee1d9903aaf677220dc6f7f3a9ad3b4949082abf1a0f078d01904a9e96b28d27e

Download Submit
C:\Users\Admin\AppData\Local\directory\chrome.exe

Filesize
1.3MB

MD5
347e851f26cedb5a5ab9eebb2064a32b

SHA1
ed45d95c46b594eaa6c752b492bdadabe65e35f0

SHA256
3ee5a0f95d5d8da1deb9757d957b519367b4850f1716a6bf1fb1129e385a007f

SHA512
fc41e6ea9c2f1002d89f82faeb3901b130087aa8528004f1b2545c8ba620309cb84a63b20fbf08ee133e6a3386f2d8dc24b65b576f29be887a6309efcef63f8d

Download Submit
memory/3120-11-0x0000000001630000-0x0000000001634000-memory.dmp

Filesize
16KB

Download
memory/4672-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4672-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing