remcos | 4df31cab3c799c3713a6b86b1f5e114da9d67dee6bb5a35e2b125367417c8246

Analysis

max time kernel
600s
max time network
595s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
09-09-2024 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

out_sig.exe
Size

1.5MB
MD5

a2f672a48f20f69a981c24c4ac9f7a34
SHA1

2afc0f87c56665a55ca318c795e7035c1a525c9e
SHA256

4df31cab3c799c3713a6b86b1f5e114da9d67dee6bb5a35e2b125367417c8246
SHA512

ae585705cdd8acdb09c46e79d480c2a0e046b03836351991d95d861257376aed0dfa36705d3f611ac949094c729c01097cfb11c458fb6f16f7f79437aec349bf
SSDEEP

49152:Bf7I4o2DzfAgaLv6NNPB5RcAuOj0OSESM690XY/+Xn1wexsXl0q:U90X3n1hxsVv

Score

10^/10

remcos nauvaler discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

NAUVALER

confrewdsfgfs.con-ip.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-882UHO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VentUSB = "C:\\Users\\Admin\\Pictures\\Vent\\VentUsbTool.exe"	out_sig.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	out_sig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	out_sig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3552	out_sig.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 3552	1332	out_sig.exe	93
PID 1332 wrote to memory of 3552	1332	out_sig.exe	93
PID 1332 wrote to memory of 3552	1332	out_sig.exe	93
PID 1332 wrote to memory of 3552	1332	out_sig.exe	93
PID 1332 wrote to memory of 3552	1332	out_sig.exe	93

C:\Users\Admin\AppData\Local\Temp\out_sig.exe
"C:\Users\Admin\AppData\Local\Temp\out_sig.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Local\Temp\out_sig.exe
  "C:\Users\Admin\AppData\Local\Temp\out_sig.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
8d024cffee6cd53579de003fb9eede8f

SHA1
60fa05466d5d8fe3d99b3d6ce8e368647b51cc72

SHA256
fdfd33d2954857698894809d619f95e8e59d83d0ddd1e49a44da1615d7425269

SHA512
0b2b1be7eb2efcf4571a5d9b0d7835f2f4415f862dc2145b4a29fd5daf4c6c7d6b0514e556c979c007a51dc517931438eca9379929b026eeeedeff01b221e5b2

Download Submit
memory/1332-1-0x0000000000407000-0x0000000000420000-memory.dmp

Filesize
100KB

Download
memory/1332-0-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1332-2-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1332-4-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1332-6-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1332-12-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1332-11-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1332-29-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1332-7-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1332-28-0x0000000000407000-0x0000000000420000-memory.dmp

Filesize
100KB

Download
memory/3552-26-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-37-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-15-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/3552-20-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-21-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-22-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-23-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-19-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-27-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-14-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-13-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-8-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-36-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-16-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-52-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-60-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-61-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-68-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-69-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-76-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-84-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-85-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-100-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-108-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-124-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-125-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-132-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/3552-140-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads