remcos | cb8d0ba3cb1d8f9222e80075cbf88dd0500b557f68d8cda57ce44258a1d2fd52

General

Target

outsig.exe
Size

2.8MB
MD5

e26af3f92e8f9e8082d660f31353f86d
SHA1

d185030089248234c9e83ad9216b3b8f7890167a
SHA256

cb8d0ba3cb1d8f9222e80075cbf88dd0500b557f68d8cda57ce44258a1d2fd52
SHA512

9acee413adb0af0414e10153d54b806b5bacc82c878aef60ac6948a41fbdb50533119b547ad4b4f0325c0b3c6e36da3f4f8f3aeb5987810446977377e8c022aa
SSDEEP

49152:fA3zZk+dsK03OTOBz54VY/+Xn1wFrk0MlLTBFPFGNK/b337CWpfm6Efmi0:fA3lsF5+3n1ErMlPBFtMibOa5T

Score

10^/10

remcos neuvaler discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

NEUVALER

C2

hjgfjygjfghfhfggjjgfyfgjh.con-ip.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MYQH4O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ImageUSB = "C:\\Users\\Admin\\Pictures\\ImageWiz\\ImageUsbTool.exe"	outsig.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outsig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outsig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2824	outsig.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2824	2272	outsig.exe	31
PID 2272 wrote to memory of 2824	2272	outsig.exe	31
PID 2272 wrote to memory of 2824	2272	outsig.exe	31
PID 2272 wrote to memory of 2824	2272	outsig.exe	31
PID 2272 wrote to memory of 2824	2272	outsig.exe	31
PID 2272 wrote to memory of 2824	2272	outsig.exe	31

C:\Users\Admin\AppData\Local\Temp\outsig.exe
"C:\Users\Admin\AppData\Local\Temp\outsig.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\outsig.exe
  "C:\Users\Admin\AppData\Local\Temp\outsig.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
98ac5b53faff6da62e1fbe604e147b78

SHA1
291284775a976315fb758877aea53bac06c935ab

SHA256
a8529d7a46058a4ef3bbb9d896c07547307c2891ab75c45f612c42968a457975

SHA512
227cbb0e7fba768ec776d88acc2ce0ddc03aac5e5356e0b45ed1a9e22cac9bc585b2c5ab5a94267c46ef2309a6c93278fec27289d3399fd5c7fae69353740b22

Download Submit
memory/2272-3-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2272-1-0x0000000000409000-0x0000000000422000-memory.dmp

Filesize
100KB

Download
memory/2272-0-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2272-6-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2272-27-0x0000000000409000-0x0000000000422000-memory.dmp

Filesize
100KB

Download
memory/2272-13-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2272-7-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2272-17-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2272-5-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2824-16-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-24-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-25-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-8-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-21-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-22-0x0000000000400000-0x000000000074C000-memory.dmp

Filesize
3.3MB

Download
memory/2824-18-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2824-26-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-12-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-30-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-23-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-39-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-38-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-47-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-46-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-54-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-55-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-62-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/2824-63-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads