remcos | 26286ef37a9eba53b1f46820899a14ebb3472b47b8f25f4ce800826ad6551445

General

Target

Newfts.exe
Size

2.1MB
MD5

db7e67835fce6cf9889f0f68ca9c29a9
SHA1

5565afda37006a66f0e4546105be60bbe7970616
SHA256

dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738
SHA512

bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b
SSDEEP

24576:LvknONWhX+nZQMcPCxOlw5etZhfAgBbBEjGf4JNhy4BPQ6MwWTbVTJBrMHACgUBh:nSXUZBP5eDxAg1z4Dhy4ZMdTJTJBrs7

Score

10^/10

remcos feetfuck discovery rat

Malware Config

Extracted

Family

remcos

Botnet

feetfuck

C2

83.222.191.201:24251

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XTJ1YO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2152	1936	Newfts.exe	31

Executes dropped EXE 1 IoCs

pid	Process
1936	Newfts.exe

Loads dropped DLL 4 IoCs

pid	Process
3036	Newfts.exe
1936	Newfts.exe
1936	Newfts.exe
2152	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3036	Newfts.exe
1936	Newfts.exe
1936	Newfts.exe
2152	cmd.exe
2152	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1936	Newfts.exe
2152	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1936	3036	Newfts.exe	30
PID 3036 wrote to memory of 1936	3036	Newfts.exe	30
PID 3036 wrote to memory of 1936	3036	Newfts.exe	30
PID 3036 wrote to memory of 1936	3036	Newfts.exe	30
PID 1936 wrote to memory of 2152	1936	Newfts.exe	31
PID 1936 wrote to memory of 2152	1936	Newfts.exe	31
PID 1936 wrote to memory of 2152	1936	Newfts.exe	31
PID 1936 wrote to memory of 2152	1936	Newfts.exe	31
PID 1936 wrote to memory of 2152	1936	Newfts.exe	31
PID 2152 wrote to memory of 344	2152	cmd.exe	34
PID 2152 wrote to memory of 344	2152	cmd.exe	34
PID 2152 wrote to memory of 344	2152	cmd.exe	34
PID 2152 wrote to memory of 344	2152	cmd.exe	34
PID 2152 wrote to memory of 344	2152	cmd.exe	34
PID 2152 wrote to memory of 344	2152	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\Newfts.exe
"C:\Users\Admin\AppData\Local\Temp\Newfts.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
  C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84b5d85b

Filesize
1.2MB

MD5
65fd1ea3e6d63934a3d66b10842e4d7b

SHA1
bd66177ccb2f42a70845c9f4fd5ae5d876029c4d

SHA256
85c4137e57deeaf8eff84bbd7c7e425e888cbc2d42aa9935592b9f3d98af1792

SHA512
fd57dc7db033a64ba05dff5062574abe9ba42b95b43c1763240691b0a5344307632c72d8e160862b607f6da7e51fe543ae0ebb9ab57c57fa1aa244be2c8f584d

Download Submit
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\ProductStatistics3.dll

Filesize
1.1MB

MD5
59c15c71fd599ff745a862d0b8932919

SHA1
8384f88b4cac4694cf510ca0d3f867fd83cc9e18

SHA256
c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2

SHA512
be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e

Download Submit
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\kytarvx

Filesize
31KB

MD5
5dc69a3e2fda6cb740f363ef77edcc13

SHA1
c177fabf17346531e07d562be11915bf2822148a

SHA256
7c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621

SHA512
b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f

Download Submit
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\nywrof

Filesize
1.0MB

MD5
471076308d78944d45ab35d37134134a

SHA1
05cf2cf6e5d11ce10425b14d68cda3246cc47263

SHA256
38d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b

SHA512
7f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3

Download Submit
\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe

Filesize
2.1MB

MD5
db7e67835fce6cf9889f0f68ca9c29a9

SHA1
5565afda37006a66f0e4546105be60bbe7970616

SHA256
dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738

SHA512
bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b

Download Submit
\Users\Admin\AppData\Roaming\localUltra_Zfv4\RegisterIdr.dll

Filesize
1.4MB

MD5
6fdb2e9ca6b7a5ad510e2b29831e3bc8

SHA1
4a14ee9d5660eb271a6b5f18a55ac3e05f952c68

SHA256
f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38

SHA512
d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06

Download Submit
memory/344-92-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-93-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-94-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-91-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-95-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-96-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-90-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-99-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-87-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-100-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/344-86-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/1936-28-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/1936-26-0x00000000743C0000-0x0000000074534000-memory.dmp

Filesize
1.5MB

Download
memory/1936-30-0x0000000003620000-0x0000000003792000-memory.dmp

Filesize
1.4MB

Download
memory/1936-29-0x00000000032C0000-0x00000000033DE000-memory.dmp

Filesize
1.1MB

Download
memory/1936-31-0x00000000743C0000-0x0000000074534000-memory.dmp

Filesize
1.5MB

Download
memory/1936-27-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/1936-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1936-23-0x0000000003620000-0x0000000003792000-memory.dmp

Filesize
1.4MB

Download
memory/1936-20-0x00000000032C0000-0x00000000033DE000-memory.dmp

Filesize
1.1MB

Download
memory/2152-84-0x00000000743C0000-0x0000000074534000-memory.dmp

Filesize
1.5MB

Download
memory/2152-37-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/3036-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3036-16-0x00000000036B0000-0x0000000003822000-memory.dmp

Filesize
1.4MB

Download
memory/3036-14-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3036-15-0x0000000003260000-0x000000000337E000-memory.dmp

Filesize
1.1MB

Download
memory/3036-4-0x00000000770A0000-0x0000000077249000-memory.dmp

Filesize
1.7MB

Download
memory/3036-3-0x00000000743F0000-0x0000000074564000-memory.dmp

Filesize
1.5MB

Download
memory/3036-2-0x00000000036B0000-0x0000000003822000-memory.dmp

Filesize
1.4MB

Download
memory/3036-1-0x0000000003260000-0x000000000337E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing