remcos | 42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20

General

Target

42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe
Size

1.6MB
MD5

ce5790a8c9abff9f6e605373f64cb9d6
SHA1

38952bb5ce924019cec324793cc4d3c8307af4fa
SHA256

42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20
SHA512

7d1cbbdcc179f52faa6513571f9ccaf622655f1560d24902508b03d04a9f2fa3446d5bb7f4a1b9cc46944778c0b9c17630ea7061206d2d0e0da92cc13acc16b6
SSDEEP

24576:ffmMv6Ckr7Mny5QLh+v0UP7Gm7AIwc/8/fOGu7vJM57icn08nmpMBwHACDEp:f3v+7/5QLhtUP7JkItw0Tq10iKHxW

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.projectusf.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
gfh
mouse_option
false
mutex
Rmc-J91LMC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.vbs	PO.exe

Executes dropped EXE 1 IoCs

pid	Process
1824	PO.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000018b28-4.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 2984	1824	PO.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1824	PO.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2984	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1824	2524	42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe	30
PID 2524 wrote to memory of 1824	2524	42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe	30
PID 2524 wrote to memory of 1824	2524	42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe	30
PID 2524 wrote to memory of 1824	2524	42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe	30
PID 1824 wrote to memory of 2984	1824	PO.exe	31
PID 1824 wrote to memory of 2984	1824	PO.exe	31
PID 1824 wrote to memory of 2984	1824	PO.exe	31
PID 1824 wrote to memory of 2984	1824	PO.exe	31
PID 1824 wrote to memory of 2984	1824	PO.exe	31

C:\Users\Admin\AppData\Local\Temp\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe
"C:\Users\Admin\AppData\Local\Temp\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\directory\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gfh\logs.dat

Filesize
144B

MD5
4376bdd3189107822a85a1a85032cdb3

SHA1
fa5f31dc7809a35eaa7465202a8b7837deba2579

SHA256
575fd853a9e96f0cffe5f2f02782b5f5b2bf900e7d8e07eedba8b89b0f46bab7

SHA512
d061977d789f6eadc27ae4e823d5b2eb624f275370ae271a53897c48d5e7d70574152a8115e28bd86faf5c9a2c3edbe2453a5590919bc9c55e345e22376e816b

Download Submit
\Users\Admin\AppData\Local\directory\PO.exe

Filesize
1.6MB

MD5
ce5790a8c9abff9f6e605373f64cb9d6

SHA1
38952bb5ce924019cec324793cc4d3c8307af4fa

SHA256
42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20

SHA512
7d1cbbdcc179f52faa6513571f9ccaf622655f1560d24902508b03d04a9f2fa3446d5bb7f4a1b9cc46944778c0b9c17630ea7061206d2d0e0da92cc13acc16b6

Download Submit
memory/1824-12-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download
memory/1824-23-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download
memory/2524-2-0x0000000003C70000-0x0000000004070000-memory.dmp

Filesize
4.0MB

Download
memory/2984-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2984-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2984-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2984-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2984-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2984-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing