remcos | c13d7d1dca1d22b26403a1a30d2dea359869a60605e1a1f092796fcea77d8069

General

Target

ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
Size

432KB
MD5

ead2793e4c0f27b9cf4bf13be871b335
SHA1

0853073f0b345de18d50c6015b9ecf84939de407
SHA256

c13d7d1dca1d22b26403a1a30d2dea359869a60605e1a1f092796fcea77d8069
SHA512

0d2f1f9c98a44d7f19f9bc41eadc033947559e36c3f58e6721348b92a72565c2626724da228bf447458042ab3d648081625251156af104b30f2df194edc46303
SSDEEP

6144:kudNyolqqHP4uLVtbgYQwkkQBtDuodQ82p4b9s4s6H1JhlhssNTy:kB+qqv9VtMTwkxDDxb9M6Hx7ssE

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Version

2.0.4 Pro

Botnet

RemoteHost

C2

Wealths.ddns.net:5050

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%Temp%
mouse_option
false
mutex
Remcos-L8X9IX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2704	Wealth.exe
2816	Encoronate0.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wealth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Encoronate0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
876	schtasks.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
2816	Encoronate0.exe
2816	Encoronate0.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
2816	Encoronate0.exe
2816	Encoronate0.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
2704	Wealth.exe
2816	Encoronate0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2816	Encoronate0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 876	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	30
PID 2392 wrote to memory of 876	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	30
PID 2392 wrote to memory of 876	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	30
PID 2392 wrote to memory of 876	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2492	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2492	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2492	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2492	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2704	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2704	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2704	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2704	2392	ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe	34
PID 2324 wrote to memory of 2816	2324	taskeng.exe	36
PID 2324 wrote to memory of 2816	2324	taskeng.exe	36
PID 2324 wrote to memory of 2816	2324	taskeng.exe	36
PID 2324 wrote to memory of 2816	2324	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead2793e4c0f27b9cf4bf13be871b335_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Milieukravene" /TR "C:\Users\Admin\AppData\Roaming\Encoronate0.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:876
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /run /tn "Milieukravene"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\Wealth.exe
  "C:\Users\Admin\AppData\Local\Temp\Wealth.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2704

C:\Windows\system32\taskeng.exe
taskeng.exe {89766CA8-67DB-4230-BB2A-DD303C7DD1FB} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\Encoronate0.exe
  C:\Users\Admin\AppData\Roaming\Encoronate0.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\remcos\logs.dat

Filesize
79B

MD5
d7d421b01ddf23c00d57e560ec55006a

SHA1
4a3b01399be5ad1b79e38081c8ed7d8d01d04298

SHA256
4b5c5ec98ed80fd8d0aad756105ade6029d429d45aa4b9c78ffc99ce9cee1f24

SHA512
ddeab6dc7e4b5a4d77bbe18109e3a40256913093bb295f90af598372a5c09b89ed1a4a40b4c24c31ba5972b3c9ec2372dd9b1a7f25281c2f6a0c5252417f9213

Download Submit
C:\Users\Admin\AppData\Roaming\Encoronate0.exe

Filesize
432KB

MD5
e43c9f8320455a0e38f761377ebed70d

SHA1
2ee22adc5532cba00d19df2174e2cfb853b99280

SHA256
8a750132f5ff640bb1c68bf18b131a42c1a2b3e5da5e3c52e81bd12b14474005

SHA512
0cc052164525d9ada03397e96dce4c3682ceef2360731a83c1ae3576e5906546e05e6e12796ac4e2a5d6300af97a900e84626ae25c1f29856e298734062b10c9

Download Submit
\Users\Admin\AppData\Local\Temp\Wealth.exe

Filesize
108KB

MD5
883dc3715b6baef0e334fd9b71ad7dc1

SHA1
60670c8da90a3f7b1846c991d3c37e58d8165c70

SHA256
6ba00445a5c30db7e57de9335d2afc28a63315badef37d97af8b602b9e820aeb

SHA512
7924a5107907a5e0d84f9c08c5a23f8a86368bc26c9c72fdae483b3d67023fec49f98b168cc632b32fa5d21754e142843ad57b332d6b0309b76ec36255fe8933

Download Submit
memory/2392-2-0x0000000076F30000-0x0000000077006000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads