remcos | e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd

General

Target

e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
Size

1.3MB
MD5

6f08daf72f8c43925d335bf0d49d4708
SHA1

7cd93559bad31f403ec423f238f74d518dbebe48
SHA256

e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd
SHA512

be4180b053c16a11d21e30953c801cb356a2728664037cbfa26eb2741a5fc226841679ce9dc26a96ffbcfaf938b92aff7a2883551ebe140ada058af554bfa94c
SSDEEP

24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8aTXIgQE2jYu40RL3pmQv1oqO:oTvC/MTQYxsWR7aTviY12tv1oq

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.osiman.fun:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MF77YB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	name.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000d000000018b6e-13.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2744	2916	name.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2916	name.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe
2916	name.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2744	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2916	2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe	29
PID 2104 wrote to memory of 2916	2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe	29
PID 2104 wrote to memory of 2916	2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe	29
PID 2104 wrote to memory of 2916	2104	e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe	29
PID 2916 wrote to memory of 2744	2916	name.exe	30
PID 2916 wrote to memory of 2744	2916	name.exe	30
PID 2916 wrote to memory of 2744	2916	name.exe	30
PID 2916 wrote to memory of 2744	2916	name.exe	30
PID 2916 wrote to memory of 2744	2916	name.exe	30

C:\Users\Admin\AppData\Local\Temp\e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe
"C:\Users\Admin\AppData\Local\Temp\e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0597a3e6037349259c6512f95dd66869

SHA1
85e4382be2cfe1082f49b90a5beac4f5b70ee200

SHA256
587ae1797c5bd565c584fb6ac6706034085b0cb1421074d5441e3a5a67c9e4c8

SHA512
7dd4257b1ab3ef4388ea705f882a66c0211817f46b7adf8b20c623fcda958da9f87140ba907874f063831416b513aebbef93e11eadf1b306b5b85d2669894a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\bankrupture

Filesize
84KB

MD5
2db8171fbd634a7fa0e9f7d8ef1162e8

SHA1
98415b1aebe12735b25e7aeba116ef3a432f68af

SHA256
10d925b0b3ee94ea27466f36d6f7b7f701ca8016338632a3de541af14d499fc2

SHA512
8dc011a09d1ca25b55f7385d640fa84620a6e505c1e46fed8b94ad6bc62d0ddd84bc4b2bd26e07f5bf6f7f8e3c2a27cc705e60b58b0212c81d05da2973ecaf64

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.3MB

MD5
6f08daf72f8c43925d335bf0d49d4708

SHA1
7cd93559bad31f403ec423f238f74d518dbebe48

SHA256
e813b824b28bb1c4307a715fa97927fee29f360bc2aaec418802b4c3ea66c3fd

SHA512
be4180b053c16a11d21e30953c801cb356a2728664037cbfa26eb2741a5fc226841679ce9dc26a96ffbcfaf938b92aff7a2883551ebe140ada058af554bfa94c

Download Submit
memory/2104-11-0x00000000002C0000-0x00000000002C4000-memory.dmp

Filesize
16KB

Download
memory/2744-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2744-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2744-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2744-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2744-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2744-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing