remcos | fdd537629a777eb117900f86855e71df1f0bb5b53349d682030787bef3d5dd3b

General

Target

e0adf621d598065f9833243390df1aa0N.exe
Size

2.1MB
MD5

e0adf621d598065f9833243390df1aa0
SHA1

b546d2b828bc1291c53318d68c34de3f149b25a5
SHA256

fdd537629a777eb117900f86855e71df1f0bb5b53349d682030787bef3d5dd3b
SHA512

0f2726103b6b0cee83107253508e5871a2a47ae4d23420962e034387fd20dbf172fe51e7fdf591cbd7298c907c92a51f23ecacc2b6662f83484ec9333bfc8890
SSDEEP

24576:CD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjYF4avnXJJJK:Cp7E+QrFUBgq2Sns

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	e0adf621d598065f9833243390df1aa0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4308	sbietrcl.exe
3744	sbietrcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe"	e0adf621d598065f9833243390df1aa0N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4308 set thread context of 3744	4308	sbietrcl.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0adf621d598065f9833243390df1aa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbietrcl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
784	e0adf621d598065f9833243390df1aa0N.exe
784	e0adf621d598065f9833243390df1aa0N.exe
784	e0adf621d598065f9833243390df1aa0N.exe
784	e0adf621d598065f9833243390df1aa0N.exe
784	e0adf621d598065f9833243390df1aa0N.exe
784	e0adf621d598065f9833243390df1aa0N.exe
4308	sbietrcl.exe
4308	sbietrcl.exe
4308	sbietrcl.exe
4308	sbietrcl.exe
4308	sbietrcl.exe
4308	sbietrcl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	e0adf621d598065f9833243390df1aa0N.exe
Token: SeDebugPrivilege	4308	sbietrcl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 4308	784	e0adf621d598065f9833243390df1aa0N.exe	91
PID 784 wrote to memory of 4308	784	e0adf621d598065f9833243390df1aa0N.exe	91
PID 784 wrote to memory of 4308	784	e0adf621d598065f9833243390df1aa0N.exe	91
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94
PID 4308 wrote to memory of 3744	4308	sbietrcl.exe	94

C:\Users\Admin\AppData\Local\Temp\e0adf621d598065f9833243390df1aa0N.exe
"C:\Users\Admin\AppData\Local\Temp\e0adf621d598065f9833243390df1aa0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
    3⤵
    - Executes dropped EXE
    PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Filesize
2.1MB

MD5
09f1ec4e170618417eb8130d3df00a18

SHA1
ce2ff4654e088af3676eae0c8e152fa48b98448e

SHA256
e2ac130e7476ed9f26c2cd933183359f07de825195847f2152491ce084a64597

SHA512
05522222bd24b8045cf5c65da859d857f7d6621e698a2a4bb02ce18d9893c25b3bf490e958932ae821ef45afc29a7202cab90d8bef34fcb8f46dd57bdeeebb5b

Download Submit
memory/784-3-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/784-0-0x0000000075592000-0x0000000075593000-memory.dmp

Filesize
4KB

Download
memory/784-15-0x0000000075592000-0x0000000075593000-memory.dmp

Filesize
4KB

Download
memory/784-16-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/784-1-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/784-27-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/784-2-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3744-35-0x0000000000760000-0x0000000000777000-memory.dmp

Filesize
92KB

Download
memory/4308-28-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4308-30-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4308-31-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4308-32-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4308-29-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4308-39-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads