remcos | 1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761

General

Target

1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe
Size

3.6MB
MD5

87fac3b9eed8f1ef7bc3c693e3e720f0
SHA1

aba93af0cd7b752af7a0f7dda6aff3b58b0dd4a5
SHA256

1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761
SHA512

3586e7f370ba4ec4c801fa0bdad29f0fef859618595e1acc617061d468752c5a9b60e1e0db09815c2f5897907ddce4f83d569fcb5ec023e53330a2c933e1adb3
SSDEEP

98304:nFqtQT5m7w749osz+IMWcAwJ4+3cSGTVhRsr+Ep90+:nFqtQtEpz+IMWCbGTvRsav+

Score

10^/10

remcos host discovery rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

127.0.0.1:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_piqtmvewblnczoe
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Desktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	NINJA HEX C++2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	BOOT.exe

Executes dropped EXE 5 IoCs

pid	Process
1752	Desktop.exe
1872	NINJA HEX C++2.exe
4940	NINJA HEX C++.exe
3840	BOOT.exe
1412	BOOT.bat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOT.bat

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 1752	3360	1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe	82
PID 3360 wrote to memory of 1752	3360	1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe	82
PID 1752 wrote to memory of 1872	1752	Desktop.exe	84
PID 1752 wrote to memory of 1872	1752	Desktop.exe	84
PID 1872 wrote to memory of 4940	1872	NINJA HEX C++2.exe	85
PID 1872 wrote to memory of 4940	1872	NINJA HEX C++2.exe	85
PID 1752 wrote to memory of 3840	1752	Desktop.exe	93
PID 1752 wrote to memory of 3840	1752	Desktop.exe	93
PID 3840 wrote to memory of 1412	3840	BOOT.exe	94
PID 3840 wrote to memory of 1412	3840	BOOT.exe	94
PID 3840 wrote to memory of 1412	3840	BOOT.exe	94

C:\Users\Admin\AppData\Local\Temp\1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe
"C:\Users\Admin\AppData\Local\Temp\1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\NINJA HEX C++2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\NINJA HEX C++2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\NINJA HEX C++.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\NINJA HEX C++.exe"
      4⤵
      Executes dropped EXE
      PID:4940
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BOOT.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BOOT.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BOOT.bat
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BOOT.bat"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe

Filesize
3.4MB

MD5
df1af936febd99db26fe61a3dca9b33a

SHA1
e514e61f86870775611b42c99cf2044a5c43c6ed

SHA256
47ed51e619d18ff3a1cc82afc2867e359baac0fea328ea6e74bd9092ecad8df9

SHA512
25a99ebd0c48671939fe1fd5b8adcb1a717582b293499ad886e3d70d5f1b0a9166aac34292028a711c3b50f65ae8b61032ac049125026acd20dc36ec7270643c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BOOT.exe

Filesize
471KB

MD5
7534d80413d772ee66b358dfde368e55

SHA1
ac00a7f005ed97338b2f8892b8186cc6a4347f80

SHA256
7eebb0469e1cad2496882bba3626b376826964ae5c25692d401a889752ed839a

SHA512
31031a99109786de85213557b3bf6d544eaf6ccdc5de96904974e73ae343066b5844d90210a8a01b55913a7b828d9cfb759ad33f99970bee0d95f792d4076b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\NINJA HEX C++2.exe

Filesize
3.0MB

MD5
ce7c8c2972ef80850d2ed285915b30c4

SHA1
ae500b2f55c8a2dce7fdf3575b59515c30a4802f

SHA256
ef943afc0231fe470a83bb2151fda55b9a02f6858ed54c6788783c430545cbfd

SHA512
fb658304096b54e4cfcf121a762af784afcb8df1ace7d4368a2f8e8b4f158ac7cd4a4ffa8b4b7aa17360717f3fdc911b4e7d2182be3481e7cb0038ec00a9bea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BOOT.bat

Filesize
92KB

MD5
3de541f8f8234db458b087cd8bbb126b

SHA1
a23d744d24c6fe9460da82c49b4d7d6714283e34

SHA256
e896e1cfcefc877c0445e5a88e53f06d35d0fe6396f581fdc5c794365d5a9b36

SHA512
5e569df70aedf777171cce0de88fd1e8d79dce14a73238fa4195ad582aad0096aacb783177155b1c511c172af4425696f7f45363d936501fffafe04378e02d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\NINJA HEX C++.exe

Filesize
5.4MB

MD5
e1a4bccaad7e5b3a91fbdaf47a5a95e1

SHA1
4f09efcecf39146a7b6e449b761c7d5545449c0a

SHA256
5ece19586f5196eed5c2c75b28a7a3d10c34765e4e3d84cc67768ad3732adf84

SHA512
46f2f105ba0a801c67feaeba3e0955633405c73f361b746b65e2c273a88347b02df3c091d860f0e7d33385e43cfc5a81968a3a025ac865ee8f3d948a4722682e

Download Submit

Analysis

Sharing