remcos | 1943df8688bbc02b45e5f91882b3408a654893168cdcf07e2bea8b507f7131e5

General

Target

d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe
Size

807KB
MD5

b17e1003bb9bbe58e090c7752447c016
SHA1

a159b486e535469d4c49b227d27608f2ad48288e
SHA256

d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700
SHA512

05077e35558e1bb636596d7a8c6b66f9554ecf8e057f61c3cf7f4af91c19f898943a5dc8b1f13914b231e09671a36631e2490e0b32799250537a375dad83af3a
SSDEEP

24576:4BXu9HGaVHUVeaBzcvMgTvk+39ABn8ApTZl:4w9VHUVebvjT19ABfp

Score

10^/10

remcos remotehost discovery rat upx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.104:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S3AD48
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	name.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2212-10-0x0000000000300000-0x00000000004C1000-memory.dmp	upx
behavioral1/files/0x000700000001924a-14.dat	upx
behavioral1/memory/2212-18-0x0000000002CF0000-0x0000000002EB1000-memory.dmp	upx
behavioral1/memory/2212-20-0x0000000000300000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2616-22-0x00000000008C0000-0x0000000000A81000-memory.dmp	upx
behavioral1/memory/2616-41-0x00000000008C0000-0x0000000000A81000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2212-20-0x0000000000300000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2616-22-0x00000000008C0000-0x0000000000A81000-memory.dmp	autoit_exe
behavioral1/memory/2616-41-0x00000000008C0000-0x0000000000A81000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2612	2616	name.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2616	name.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe
2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe
2616	name.exe
2616	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe
2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe
2616	name.exe
2616	name.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2616	2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe	30
PID 2212 wrote to memory of 2616	2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe	30
PID 2212 wrote to memory of 2616	2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe	30
PID 2212 wrote to memory of 2616	2212	d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe	30
PID 2616 wrote to memory of 2612	2616	name.exe	31
PID 2616 wrote to memory of 2612	2616	name.exe	31
PID 2616 wrote to memory of 2612	2616	name.exe	31
PID 2616 wrote to memory of 2612	2616	name.exe	31
PID 2616 wrote to memory of 2612	2616	name.exe	31

C:\Users\Admin\AppData\Local\Temp\d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe
"C:\Users\Admin\AppData\Local\Temp\d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2612

Network

No results found

45.95.169.104:2404

svchost.exe

152 B
3
45.95.169.104:2404

svchost.exe

152 B
3
45.95.169.104:2404

svchost.exe

152 B
3
45.95.169.104:2404

svchost.exe

152 B
3
45.95.169.104:2404

svchost.exe

152 B
3
45.95.169.104:2404

svchost.exe

152 B
3
45.95.169.104:2404

svchost.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
184B

MD5
30c6a1c9e683c99cd047f60364360c6a

SHA1
78c4b5ece0aab56ab382895b62c878222babf40f

SHA256
4ef229f93235b10c78346e983f2652f97318a1a34493394d38bb925c72b475cf

SHA512
f10500e9df5daa9199694adc3e43af5b98eddd4101eaf65ff3b263839c1f88631edab1ddd65442dbbf3ffeb3f03459eff71803ea1abecb02e5e24b02a94eeefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\intemeration

Filesize
252KB

MD5
853be9124b51e48f5d850a835321ce11

SHA1
27873a837151fb53b7656c34a565745b84e38342

SHA256
bb2a93bd61d6f95e4c9f0d4129d38633270df2128c57b97f5406655861030d0b

SHA512
192d1b16b630ba3237f19f5bad187304b035c2c5c07af9db05c7f4df763121d8b682a732d8728068dd92bd3d6bef2ed98c8c3efffd0cfc87126894108e1b23fd

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
807KB

MD5
b17e1003bb9bbe58e090c7752447c016

SHA1
a159b486e535469d4c49b227d27608f2ad48288e

SHA256
d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700

SHA512
05077e35558e1bb636596d7a8c6b66f9554ecf8e057f61c3cf7f4af91c19f898943a5dc8b1f13914b231e09671a36631e2490e0b32799250537a375dad83af3a

Download Submit
memory/2212-10-0x0000000000300000-0x00000000004C1000-memory.dmp

Filesize
1.8MB

Download
memory/2212-12-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/2212-18-0x0000000002CF0000-0x0000000002EB1000-memory.dmp

Filesize
1.8MB

Download
memory/2212-20-0x0000000000300000-0x00000000004C1000-memory.dmp

Filesize
1.8MB

Download
memory/2612-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2616-41-0x00000000008C0000-0x0000000000A81000-memory.dmp

Filesize
1.8MB

Download
memory/2616-22-0x00000000008C0000-0x0000000000A81000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing