remcos | 15793586c3009951f5629e509728de4bb42a5bab16ff5ee69c50f60264f90d01

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Godaddy Checker Cracked/data/log.exe
Size

92KB
MD5

4daae6c7d8deeb9c398da69c722d5dfa
SHA1

fe3c3cdbc61ec00584f7d6ebdf0cae27e013c6b0
SHA256

690e5292cdbff69ed08e971ebb61261a4f0a9e2483aacb93b675f5ac3826ac06
SHA512

00ef31e6161741e427bda90457e9c6e192886637087278eac6b59872e3327a919b3a197ab40f9d367ca1651d10130ec9a267c772abf4d1e0b9c3e111b818148a
SSDEEP

1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6ArO:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+a

Score

10^/10

remcos host discovery evasion persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

vshield.publicvm.com:5151

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
chrome.exe
copy_folder
Google Chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Google Chrome
keylog_path
%AppData%
mouse_option
true
mutex
remcos_ykhychcufk
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
chrome
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
paypal;amazon;nulled.to;cracked.to;ebay;blockchain;coinbase

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	log.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	log.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	chrome.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	log.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrome.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	log.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	log.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	log.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	chrome.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	log.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	log.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\chrome.exe\""	chrome.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	log.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4136	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4136	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2928	chrome.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1824	2900	log.exe	86
PID 2900 wrote to memory of 1824	2900	log.exe	86
PID 2900 wrote to memory of 1824	2900	log.exe	86
PID 1824 wrote to memory of 4136	1824	cmd.exe	88
PID 1824 wrote to memory of 4136	1824	cmd.exe	88
PID 1824 wrote to memory of 4136	1824	cmd.exe	88
PID 1824 wrote to memory of 2928	1824	cmd.exe	89
PID 1824 wrote to memory of 2928	1824	cmd.exe	89
PID 1824 wrote to memory of 2928	1824	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\Godaddy Checker Cracked\data\log.exe
"C:\Users\Admin\AppData\Local\Temp\Godaddy Checker Cracked\data\log.exe"
1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4136
- - C:\Users\Admin\AppData\Roaming\Google Chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\Google Chrome\chrome.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
106B

MD5
e4f4700738e33258cdbee476f5675217

SHA1
23644b39aa13334e1edab2632a0b78d41dcc42a4

SHA256
9636ee8e98fd8636f12714bfb323f3d1010d18dae6dbbba86766e1711348243c

SHA512
02c424ab221a85fc1ddcfc5137c10b6317b732cab63e993cd70d9f28b3e6df9dd9a3493f2ce146bf672be002b627b1c1a57cfd5ba9162db68c8f6f219adab5f6

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome\chrome.exe

Filesize
92KB

MD5
4daae6c7d8deeb9c398da69c722d5dfa

SHA1
fe3c3cdbc61ec00584f7d6ebdf0cae27e013c6b0

SHA256
690e5292cdbff69ed08e971ebb61261a4f0a9e2483aacb93b675f5ac3826ac06

SHA512
00ef31e6161741e427bda90457e9c6e192886637087278eac6b59872e3327a919b3a197ab40f9d367ca1651d10130ec9a267c772abf4d1e0b9c3e111b818148a

Download Submit
C:\Users\Admin\AppData\Roaming\Screens\2.png

Filesize
435KB

MD5
ec2b094f08c7d8924e5676a68f715eab

SHA1
6ea1ed3f54ef5448011f3e18c8845815fd8a1918

SHA256
0146bb6d04b78d7ebaab01769889fa8a15ed97ac7933c22bb65e75972aae41b9

SHA512
d4665820e908e6b70dfb4304948caa754cf666ba633c170afa4a06c6705a422a46b7f861cd8b1df1755f8f930f61098b57aa46d3abd6d06252521ffa97c84c04

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads