remcos | 2341360aa2d0bb8b8017ab7c89d69eed76584d9948c52b325c2eb790be65d25f

General

Target

d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
Size

1.4MB
MD5

c0585835beb4bef171c0cf8b15e8d5c5
SHA1

db8c9c483776385b86676fa2f3d2d5a49d05bae0
SHA256

d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31
SHA512

53a4d4e8617327724efe07473c30c0abc83e82ba81b5a0e79317041cca6552be5a6ba202882888bf0516ca5d5b5997d05b4056196192e6256b012cbce131218f
SSDEEP

24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8aW+buh+WZiRDus2vcy2iU6Ylcyo2:nTvC/MTQYxsWR7aW+0+EiZccvio

Score

10^/10

remcos appo discovery rat

Malware Config

Extracted

Family

remcos

Botnet

APPO

C2

pronpostavka.com:2559

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
chrome-EZMR6Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 2 IoCs

pid	Process
2056	name.exe
1760	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023418-14.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 3076	1760	name.exe	96

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2056	name.exe
1760	name.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
2056	name.exe
2056	name.exe
2056	name.exe
2056	name.exe
2056	name.exe
2056	name.exe
1760	name.exe
1760	name.exe
1760	name.exe
1760	name.exe
1760	name.exe
1760	name.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
2056	name.exe
2056	name.exe
2056	name.exe
2056	name.exe
2056	name.exe
2056	name.exe
1760	name.exe
1760	name.exe
1760	name.exe
1760	name.exe
1760	name.exe
1760	name.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 2056	3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe	90
PID 3488 wrote to memory of 2056	3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe	90
PID 3488 wrote to memory of 2056	3488	d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe	90
PID 2056 wrote to memory of 4296	2056	name.exe	92
PID 2056 wrote to memory of 4296	2056	name.exe	92
PID 2056 wrote to memory of 4296	2056	name.exe	92
PID 2056 wrote to memory of 1760	2056	name.exe	93
PID 2056 wrote to memory of 1760	2056	name.exe	93
PID 2056 wrote to memory of 1760	2056	name.exe	93
PID 1760 wrote to memory of 3076	1760	name.exe	96
PID 1760 wrote to memory of 3076	1760	name.exe	96
PID 1760 wrote to memory of 3076	1760	name.exe	96
PID 1760 wrote to memory of 3076	1760	name.exe	96

C:\Users\Admin\AppData\Local\Temp\d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe
"C:\Users\Admin\AppData\Local\Temp\d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31.exe"
    3⤵
    PID:4296
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Laddonia

Filesize
483KB

MD5
24bdff8872f85a79a0f2e1a143398af2

SHA1
531ad1b6f7a29f9c2f4da4b56fd9444919828e8a

SHA256
b500c51d1af2e13366eb8ffec6426125a6d890c7b7c039d86b1469ee03b65e5d

SHA512
93b5be0290b06ef27619c9fa9877f5d505b95fd6432a02cf98fa6d4c9e63ffd0f54ab1098f01d6eea52a8db5ef9085b089c29ca5241c17c3df2b5416fbab45df

Download Submit
C:\Users\Admin\AppData\Local\Temp\adstipulator

Filesize
84KB

MD5
36a6c59ca0a685351cb6e301b1175cf2

SHA1
ec43b7dc244b99c115cb020009c8793d863f52ec

SHA256
fe9cf3e19127123a57040ab8af31f666e189103d01dcca69badf51e5ea7aa721

SHA512
166c5e3427226a7074047f663916ea6f709c9b93b1fed9d29bbc85ceae39da153bc89f4e4ad68292c53b13a468e6b4bf80e934f97609bb9b9205341538537d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\autC13D.tmp

Filesize
424KB

MD5
949e7bbaa44b9bececb68308f7126107

SHA1
91f09064ce119d2760d5c5e2199484aafad65963

SHA256
f6fec56b7f7493f74db2652f8a2135a9b98247b807f5d28814bef4eb0b263b97

SHA512
bf34fbf722accf9bff52852d9c4fad660eaf75c1b376b0095412d6729d152d5762ff392fb8b1b6595c42c6b66632c80da15124c7f80799bd5ab516b09ea476a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\autC15D.tmp

Filesize
42KB

MD5
0e923da7be1e29bd748f1fb0ce6c7e93

SHA1
e66522172d8abd260c18e132fdfbf3c6602205b4

SHA256
8fbfa0e64da0cee638fdcca4ef8bf82c11bafc5d969628e7b15e6fec507235cc

SHA512
6e82c6b817ad4c0fe4da41cc3989c2b40b02742eb014f0de06277ea181d2265b39c8f8bba2e3740b47cbd719f0dfcd6544f9afab74df9f2c48620bda36fbcaf4

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.4MB

MD5
c0585835beb4bef171c0cf8b15e8d5c5

SHA1
db8c9c483776385b86676fa2f3d2d5a49d05bae0

SHA256
d2d047125f00db9f2a56d34b1e1515ff98e593352c59c5aabbc0ca9888aabb31

SHA512
53a4d4e8617327724efe07473c30c0abc83e82ba81b5a0e79317041cca6552be5a6ba202882888bf0516ca5d5b5997d05b4056196192e6256b012cbce131218f

Download Submit
memory/3076-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3076-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3488-11-0x0000000000FD0000-0x0000000000FD4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing