remcos | 225208604a37e48e621de38e69093f57ff5e8689bd80de4104682dd5ccff70c1

General

Target

NDA_MD580 project.exe
Size

733KB
MD5

d6bd509dcf7948039b0dbe0401c0c951
SHA1

22a59ba5c6776efbaf0408584170e41a56ecb2ab
SHA256

225208604a37e48e621de38e69093f57ff5e8689bd80de4104682dd5ccff70c1
SHA512

d7004114819aec85bab328f5eb523056cf98d92d7caf1cff3857acdf0c49f96727a20acca74c1e346d3e95b769f7d54bda36df6684c4a889ca1f158d20140dfa
SSDEEP

6144:dnPdudwDohxr5oMPxPyIYeU6ZAtzgPHRKf7EkO153eM/AtYFV4mIWOZi7c0sMELO:dnPdCpJP3GU/QAkObeMbFx7c0FJjIin

Score

10^/10

remcos remcofile discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

Remcofile

C2

192.210.150.17:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RX4C8F
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1260	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2784	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1260	powershell.exe
2784	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 2784	1260	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDA_MD580 project.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1260	powershell.exe
1260	powershell.exe
1260	powershell.exe
1260	powershell.exe
1260	powershell.exe
1260	powershell.exe
1260	powershell.exe
1260	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1260	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1260	1916	NDA_MD580 project.exe	30
PID 1916 wrote to memory of 1260	1916	NDA_MD580 project.exe	30
PID 1916 wrote to memory of 1260	1916	NDA_MD580 project.exe	30
PID 1916 wrote to memory of 1260	1916	NDA_MD580 project.exe	30
PID 1260 wrote to memory of 2784	1260	powershell.exe	34
PID 1260 wrote to memory of 2784	1260	powershell.exe	34
PID 1260 wrote to memory of 2784	1260	powershell.exe	34
PID 1260 wrote to memory of 2784	1260	powershell.exe	34
PID 1260 wrote to memory of 2784	1260	powershell.exe	34
PID 1260 wrote to memory of 2784	1260	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\NDA_MD580 project.exe
"C:\Users\Admin\AppData\Local\Temp\NDA_MD580 project.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Bedrifternes117=Get-Content 'C:\Users\Admin\AppData\Local\Calvarias\Rehoboth\Coadjustment.Rag';$Mallender42=$Bedrifternes117.SubString(55282,3);.$Mallender42($Bedrifternes117) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Calvarias\Berserker.Ade

Filesize
307KB

MD5
5a037d560e98190008c00c68249531ea

SHA1
d3c21942ad3bbd0dca52e7a946c40c944e24cb38

SHA256
99d853b8f87043c473b4d53335a696041a8dfaa8c90904e24c05ca138bd5768e

SHA512
34503fb06b3837120fe016b2bf3d1e48edd65a1b2df39f1a2d1b7fb541e7c892faa036162730232ef2e797c5d605e128939c8d2d3c77ce1394dd1381ea773f82

Download Submit
C:\Users\Admin\AppData\Local\Calvarias\Rehoboth\Coadjustment.Rag

Filesize
54KB

MD5
434d326a410ac833d1816351902853e0

SHA1
d95730fa5608ef3bb40d17b5c2205acf971c74df

SHA256
c1786a210289c1c549a24fe84da5ce9881eb5a4a3e0f2fb2eb724c7afed1edb8

SHA512
20e5ca642f1c93cbed3ef9bdda64ce5f2e8ee40a9cb0b553cda78c2a5acc4f57d6d9a503f2a98aa98a930789a54924d173f402f6aa3f1aa1d6cb7ac3f9e45db4

Download Submit
memory/1260-8-0x0000000074591000-0x0000000074592000-memory.dmp

Filesize
4KB

Download
memory/1260-9-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/1260-10-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/1260-11-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/1260-12-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/1260-15-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/1260-17-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/1260-18-0x0000000006780000-0x0000000009F39000-memory.dmp

Filesize
55.7MB

Download
memory/1260-19-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-24-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-31-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-26-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-27-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-28-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-29-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-30-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-20-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-32-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-33-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-34-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-35-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-36-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download
memory/2784-37-0x0000000000DE0000-0x0000000001E42000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing