remcos | 41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2

General

Target

cayV0Deo9jSt417.exe
Size

958KB
MD5

aa3cdd5145d9fb980c061d2d8653fa8d
SHA1

de696701275b01ddad5461e269d7ab15b7466d6a
SHA256

41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2
SHA512

4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32
SSDEEP

24576:PExy+NP2Gc/hgXzYRVG7mRPQeMeokqjVnlqud+/2P+A:6+Gc/hD67mJQeMhkqXfd+/9A

Score

10^/10

remcos go!!!discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Go!!!

C2

dangerous.hopto.org:2404

dangerous.hopto.org:2602

91.92.242.184:2602

91.92.242.184:2404

Attributes

audio_folder
??????????? ??????
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
taskhost.exe
copy_folder
System32
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
tapiui.dat
keylog_flag
false
keylog_folder
System32
mouse_option
false
mutex
???-LDKG91
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
?????????
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
2860	taskhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\???-LDKG91 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\taskhost.exe\""	clip.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1120 set thread context of 2668	1120	cayV0Deo9jSt417.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cayV0Deo9jSt417.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clip.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 1120 wrote to memory of 2668	1120	cayV0Deo9jSt417.exe	82
PID 2668 wrote to memory of 2860	2668	clip.exe	83
PID 2668 wrote to memory of 2860	2668	clip.exe	83
PID 2668 wrote to memory of 2860	2668	clip.exe	83

C:\Users\Admin\AppData\Local\Temp\cayV0Deo9jSt417.exe
"C:\Users\Admin\AppData\Local\Temp\cayV0Deo9jSt417.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\clip.exe
  "C:\Windows\SysWOW64\clip.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
    "C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\System32\taskhost.exe

Filesize
24KB

MD5
e40cb198ebcd20cd16739f670d4d7b74

SHA1
e898a3b321bd6734c5a676382b5c0dfd42be377d

SHA256
6cdc8d3c147dcf7253c0fb7bb552b4ae918aba4058cc072a2320a7297d4fbed7

SHA512
1e5a68b2ae30c7d16a0a74807fa069be2d1b8adcfcbcde777217b9420a987196af13fb05177e476157029a1f7916e6948a1286cdb8957cdd142756da3c42beef

Download Submit
memory/1120-6-0x0000000005F40000-0x00000000064E4000-memory.dmp

Filesize
5.6MB

Download
memory/1120-3-0x0000000002B90000-0x0000000002BAA000-memory.dmp

Filesize
104KB

Download
memory/1120-2-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/1120-4-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1120-5-0x00000000058F0000-0x0000000005996000-memory.dmp

Filesize
664KB

Download
memory/1120-0-0x00000000751DE000-0x00000000751DF000-memory.dmp

Filesize
4KB

Download
memory/1120-11-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1120-1-0x00000000005F0000-0x00000000006E6000-memory.dmp

Filesize
984KB

Download
memory/2668-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads