remcos | a4d6765ff194dc15f845e757ae7c6f6c3285e8139cd1c14b88441b0ddc15e23b

General

Target

d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe
Size

350KB
MD5

d37da9a942ea9e9e1c77bebb80951013
SHA1

8fcc64b8ba049e620a42b50f1dacf431f0be6709
SHA256

a4d6765ff194dc15f845e757ae7c6f6c3285e8139cd1c14b88441b0ddc15e23b
SHA512

6840ce08d2ee4d266eed344f0a64d9a37fdae287b610b039ffa6e0d2325250ad5a47198df1481d5429440d36179c8ea4d7c6b29da1de3ba651baf100051a41d1
SSDEEP

6144:qVL0nt7DmqFnKXJx9oe/Y3ZE+yPhiKtOf3G0z857fwhk3c:0uTKnCjZE+yzKyi

Score

10^/10

remcos zeu$discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

ZEU$

C2

backup1.gam2ng.pw:3090

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
ZEUS-GXZIJ9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftondmdnmgr.lnk	ftondmdnmgr.exe

Executes dropped EXE 2 IoCs

pid	Process
4280	ftondmdnmgr.exe
5024	ftondmdnmgr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4280 set thread context of 5024	4280	ftondmdnmgr.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftondmdnmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe
Token: SeDebugPrivilege	4280	ftondmdnmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5024	ftondmdnmgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2220	2244	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	103
PID 2244 wrote to memory of 2220	2244	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	103
PID 2244 wrote to memory of 2220	2244	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	103
PID 2244 wrote to memory of 4560	2244	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	105
PID 2244 wrote to memory of 4560	2244	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	105
PID 2244 wrote to memory of 4560	2244	d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe	105
PID 4560 wrote to memory of 4280	4560	cmd.exe	107
PID 4560 wrote to memory of 4280	4560	cmd.exe	107
PID 4560 wrote to memory of 4280	4560	cmd.exe	107
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108
PID 4280 wrote to memory of 5024	4280	ftondmdnmgr.exe	108

C:\Users\Admin\AppData\Local\Temp\d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\d37da9a942ea9e9e1c77bebb80951013_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\ftondmdnmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\ftondmdnmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\ftondmdnmgr.exe
    "C:\Users\Admin\AppData\Local\ftondmdnmgr.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\ftondmdnmgr.exe
      "C:\Users\Admin\AppData\Local\ftondmdnmgr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ftondmdnmgr.exe

Filesize
350KB

MD5
d37da9a942ea9e9e1c77bebb80951013

SHA1
8fcc64b8ba049e620a42b50f1dacf431f0be6709

SHA256
a4d6765ff194dc15f845e757ae7c6f6c3285e8139cd1c14b88441b0ddc15e23b

SHA512
6840ce08d2ee4d266eed344f0a64d9a37fdae287b610b039ffa6e0d2325250ad5a47198df1481d5429440d36179c8ea4d7c6b29da1de3ba651baf100051a41d1

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
74B

MD5
d70352bf193fddf9ecf775a3f9134e53

SHA1
19f104c4bb892197316f1106350fc7848046ef45

SHA256
5e2883039f84f1a6d57f8e539fa93d7246c6df3a0f7a9b4832cded6501976075

SHA512
822adb722df2ab25a585d914f5e4cddf61cc0e46ad84233fac11edba1acefed33bf461d69bd39afd1e9830a1800edda4752ba7301824a9c4cffe8b7df0ff1591

Download Submit
memory/2244-5-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2244-3-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/2244-4-0x00000000060F0000-0x0000000006694000-memory.dmp

Filesize
5.6MB

Download
memory/2244-6-0x0000000005A40000-0x0000000005A84000-memory.dmp

Filesize
272KB

Download
memory/2244-2-0x0000000005870000-0x0000000005888000-memory.dmp

Filesize
96KB

Download
memory/2244-7-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/2244-8-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2244-9-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/2244-13-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2244-1-0x0000000000EC0000-0x0000000000F1E000-memory.dmp

Filesize
376KB

Download
memory/2244-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/4280-17-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4280-19-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4280-29-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4280-32-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4280-18-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5024-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5024-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5024-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5024-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5024-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5024-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing