remcos | 52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384

General

Target

52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe
Size

1.2MB
MD5

354b34a3694e2b4d54ba3bca624aa3c3
SHA1

660ee183f7f7a17eace0556c8883a2c361424cb0
SHA256

52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384
SHA512

f78bbbd45ee9dc147394f79c0aed2c8104c42116b72c653586ac0855d0c075e3b17571bc62e33ba055bcc91197f6e2a491e97ad35eab8f425bbf713a5e0b5870
SSDEEP

24576:+tb20pkaCqT5TBWgNQ7aLHWD2rmiOWlcIqDBZLAkxy06A:rVg5tQ7aLHWDd/B9A65

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

spacesave.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RLABK3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dddddd.vbs	dddddd.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	dddddd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00030000000230ad-14.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dddddd.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2568	52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe
2568	52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe
4656	dddddd.exe
4656	dddddd.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2568	52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe
2568	52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe
4656	dddddd.exe
4656	dddddd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 4656	2568	52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe	87
PID 2568 wrote to memory of 4656	2568	52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe	87
PID 2568 wrote to memory of 4656	2568	52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe	87

C:\Users\Admin\AppData\Local\Temp\52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe
"C:\Users\Admin\AppData\Local\Temp\52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\directory\dddddd.exe
  "C:\Users\Admin\AppData\Local\Temp\52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\definitization

Filesize
56KB

MD5
be57919a8e6f5c3d638c08144dfff614

SHA1
a096881aaea02eecc45536e041050cf08917b433

SHA256
88b06124dd503e93614f8dc3fd011565c949e2a36ecb44c0a9de685465330167

SHA512
8c6154154f3ee2ed6d19b6527f89ae3279fc64b0489baf415b1779cbe2af12d4f4cac2fd67e2c57a825639f86e8b4a72ca2ead831fe93bc90141a013bb4bbcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\palladize

Filesize
483KB

MD5
f4461a02e25109973cdf62c9260edc73

SHA1
988eaf6cf392bc92f09c514a99db3b44bd9d0450

SHA256
35317bf8ab08c12751490059e9af81b8226b013401e9906ad109e49c1924d13f

SHA512
f6d86a3f8702d89acc1c4cb63fbd81d03a8f86d8f43ce1a244343b59b6121416420c421e10830675dd970d97064ab2b7b422b60fe2658b263daf12f2932707dc

Download Submit
C:\Users\Admin\AppData\Local\directory\dddddd.exe

Filesize
1.2MB

MD5
354b34a3694e2b4d54ba3bca624aa3c3

SHA1
660ee183f7f7a17eace0556c8883a2c361424cb0

SHA256
52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384

SHA512
f78bbbd45ee9dc147394f79c0aed2c8104c42116b72c653586ac0855d0c075e3b17571bc62e33ba055bcc91197f6e2a491e97ad35eab8f425bbf713a5e0b5870

Download Submit
memory/2568-11-0x00000000037D0000-0x00000000037D4000-memory.dmp

Filesize
16KB

Download
memory/4656-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4656-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing