remcos | 73d157aceb0cbefa3a24509f157e8b59c40881acd0e3360d026fee5845e19f2c

General

Target

zBJC.exe
Size

962KB
MD5

094a5d7931f64c66d76b0fe5cc728262
SHA1

4a3cbbe7590ab3e7cd3c40fc62558aaaa251a3e8
SHA256

73d157aceb0cbefa3a24509f157e8b59c40881acd0e3360d026fee5845e19f2c
SHA512

c2b31f3aca35b2e048e1fa10a6f8ed972097651a0fb85be675e0b7ea8765e04ba7b1f68be8c5bef25f919dff56c49b139e5d1ef4cad4c472ed0dc281ee4905aa
SSDEEP

12288:AfOzlAPrLGY72HiM2AUpGNSfIKsAW1Nunhe2z8JBvR1unEhyDsRiWnze6EzyskDF:AfglYKG2Kwb3unMLBvh8sRdS6rd8Qt

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.42:7118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WYBPPO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
2680	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2892	2132	zBJC.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zBJC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zBJC.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2132	zBJC.exe
2132	zBJC.exe
2132	zBJC.exe
2132	zBJC.exe
2132	zBJC.exe
2132	zBJC.exe
2132	zBJC.exe
2732	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	zBJC.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2680	2132	zBJC.exe	31
PID 2132 wrote to memory of 2680	2132	zBJC.exe	31
PID 2132 wrote to memory of 2680	2132	zBJC.exe	31
PID 2132 wrote to memory of 2680	2132	zBJC.exe	31
PID 2132 wrote to memory of 2732	2132	zBJC.exe	33
PID 2132 wrote to memory of 2732	2132	zBJC.exe	33
PID 2132 wrote to memory of 2732	2132	zBJC.exe	33
PID 2132 wrote to memory of 2732	2132	zBJC.exe	33
PID 2132 wrote to memory of 2852	2132	zBJC.exe	34
PID 2132 wrote to memory of 2852	2132	zBJC.exe	34
PID 2132 wrote to memory of 2852	2132	zBJC.exe	34
PID 2132 wrote to memory of 2852	2132	zBJC.exe	34
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37
PID 2132 wrote to memory of 2892	2132	zBJC.exe	37

C:\Users\Admin\AppData\Local\Temp\zBJC.exe
"C:\Users\Admin\AppData\Local\Temp\zBJC.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\zBJC.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OsUSvlotOYeups.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsUSvlotOYeups" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\zBJC.exe
  "C:\Users\Admin\AppData\Local\Temp\zBJC.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCC.tmp

Filesize
1KB

MD5
91aaa55510dad3ec1b9bf90581fafaa1

SHA1
74c155ed4ac904e59eff10133f7f05858a808a15

SHA256
ecc873454749c650f7b36f091d13848c2e957fc84d97d8223cca431421725791

SHA512
1f0970ae2d010c040753eca0703c4fc5a9b6f50682a293aa02e0b8174e33eca0f88ccd2a987e20943b88dc82cf18f50a18128b5e718a8aedfcbf56c55efd1920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
28dab19a31561b993ec660ab846dfb01

SHA1
4585eb3ce4b94cf9cee0500e01d5ef6b2f79d001

SHA256
5af8645ba33dcac8cc501abd02af951a57b9636d954ab0f24f5a1e993e9796b9

SHA512
c04b5ab9355d89179f96e60c55db4845df8a75906ac3a4f5caa3889ceaf6292622c5db3d093430ff6132ff7d79b1ac8c0f26cd7d7cd171ade421a1ef1ea0ee1d

Download Submit
memory/2132-40-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-1-0x0000000000D10000-0x0000000000E04000-memory.dmp

Filesize
976KB

Download
memory/2132-2-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-3-0x0000000000880000-0x0000000000898000-memory.dmp

Filesize
96KB

Download
memory/2132-4-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/2132-5-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-6-0x0000000005070000-0x000000000512E000-memory.dmp

Filesize
760KB

Download
memory/2132-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/2892-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2892-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads