remcos | a4d6765ff194dc15f845e757ae7c6f6c3285e8139cd1c14b88441b0ddc15e23b

General

Target

d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe
Size

350KB
MD5

d37da9a942ea9e9e1c77bebb80951013
SHA1

8fcc64b8ba049e620a42b50f1dacf431f0be6709
SHA256

a4d6765ff194dc15f845e757ae7c6f6c3285e8139cd1c14b88441b0ddc15e23b
SHA512

6840ce08d2ee4d266eed344f0a64d9a37fdae287b610b039ffa6e0d2325250ad5a47198df1481d5429440d36179c8ea4d7c6b29da1de3ba651baf100051a41d1
SSDEEP

6144:qVL0nt7DmqFnKXJx9oe/Y3ZE+yPhiKtOf3G0z857fwhk3c:0uTKnCjZE+yzKyi

Score

10^/10

remcos zeu$discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

ZEU$

C2

backup1.gam2ng.pw:3090

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
ZEUS-GXZIJ9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftondmdnmgr.lnk	ftondmdnmgr.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	ftondmdnmgr.exe
812	ftondmdnmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2836	cmd.exe
2780	ftondmdnmgr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 812	2780	ftondmdnmgr.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftondmdnmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	ftondmdnmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
812	ftondmdnmgr.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2892	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2892	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2892	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2892	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2836	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2836	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2836	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2836	2128	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	33
PID 2836 wrote to memory of 2780	2836	cmd.exe	35
PID 2836 wrote to memory of 2780	2836	cmd.exe	35
PID 2836 wrote to memory of 2780	2836	cmd.exe	35
PID 2836 wrote to memory of 2780	2836	cmd.exe	35
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36
PID 2780 wrote to memory of 812	2780	ftondmdnmgr.exe	36

C:\Users\Admin\AppData\Local\Temp\d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\ftondmdnmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\ftondmdnmgr.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\ftondmdnmgr.exe
    "C:\Users\Admin\AppData\Local\ftondmdnmgr.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\ftondmdnmgr.exe
      "C:\Users\Admin\AppData\Local\ftondmdnmgr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ftondmdnmgr.exe

Filesize
350KB

MD5
d37da9a942ea9e9e1c77bebb80951013

SHA1
8fcc64b8ba049e620a42b50f1dacf431f0be6709

SHA256
a4d6765ff194dc15f845e757ae7c6f6c3285e8139cd1c14b88441b0ddc15e23b

SHA512
6840ce08d2ee4d266eed344f0a64d9a37fdae287b610b039ffa6e0d2325250ad5a47198df1481d5429440d36179c8ea4d7c6b29da1de3ba651baf100051a41d1

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
fe7ace77209209b7e0df6b7b9a236e8e

SHA1
83bca3ae5ef39dc7da9c2908620b43015774f888

SHA256
a79f64f737ed7280737df072a29b8cf7716e9500f3e7e723891821c4aca86029

SHA512
1630cc597aadbd88691660ae83dc3d1b234ff2ddd9422a55d8f41c03d9442c3a965138b47430c9b2029de143164b07a0fcac11fcf08ebb7148a29f451b613d5c

Download Submit
memory/812-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/812-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2128-5-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-4-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2128-10-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-6-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-1-0x0000000000070000-0x00000000000CE000-memory.dmp

Filesize
376KB

Download
memory/2128-2-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/2128-3-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-7-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2780-17-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-27-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-28-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-16-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-14-0x00000000013D0000-0x000000000142E000-memory.dmp

Filesize
376KB

Download
memory/2780-15-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing