Overview

overview

10

Static

static

10

d819e34aab...b8.exe

windows7-x64

10

d819e34aab...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe

  • Size

    469KB

  • MD5

    722834785974c29b7422d7d06012ce78

  • SHA1

    f1d099552614514b690a6eaa1db898601dd38ce0

  • SHA256

    d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8

  • SHA512

    2020af70096abef0623a792471eccf2e7cdb44393304d4f50e71dc16cf8e9a185328bc209a5bfc09b67c6dc7d76319b28b2fc249388c4341ab82be6c289e4af8

  • SSDEEP

    12288:Imnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSjn9:4iLJbpI7I2WhQqZ7j9

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

firsyt205919-48538.portmap.host:48538

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %SystemDrive%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    Rmc-MV66H0

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %Temp%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    true

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe
    "C:\Users\Admin\AppData\Local\Temp\d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Remcos\remcos.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4692
        • C:\Remcos\remcos.exe
          C:\Remcos\remcos.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4416
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
              PID:4732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Remcos\remcos.exe
      Filesize

      469KB

      MD5

      722834785974c29b7422d7d06012ce78

      SHA1

      f1d099552614514b690a6eaa1db898601dd38ce0

      SHA256

      d819e34aab150310ecd4730140f3568bcc72531c9959e80353497e0f700fecb8

      SHA512

      2020af70096abef0623a792471eccf2e7cdb44393304d4f50e71dc16cf8e9a185328bc209a5bfc09b67c6dc7d76319b28b2fc249388c4341ab82be6c289e4af8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      Filesize

      362B

      MD5

      bf073fea4f0dc0dd4396a28625365359

      SHA1

      ade8ba17f8966408e913ed6fef7f8a74edba4c5f

      SHA256

      051b2712be665237334d3ce6faa46eb64e7742587736385ea0162c4fa64ba59a

      SHA512

      f76deba47027204bfce82d62c21b87ec51e1c2f97a4c1575ab7b64fe7de47659d4f1f8a5f228a3446789353d7bf359ddb257d98340c75974139bc3afc002d446

      Download Submit

    • memory/4732-10-0x0000000001300000-0x000000000137F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/4732-11-0x0000000001300000-0x000000000137F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/4732-12-0x0000000001300000-0x000000000137F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/4732-9-0x0000000001300000-0x000000000137F000-memory.dmp

      Filesize

      508KB

      Download