remcos | 6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8

General

Target

6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe
Size

462KB
MD5

a81f82311218c176076e6b790b83c730
SHA1

79bf0623a25fd8e14b38f2abaa196dc10bacf9d5
SHA256

6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8
SHA512

2c3daace386eb62c4638fecf3eab3f1b521bf9a180cb846ce3a13c07b78fc7dfc38e9b3d68d0ad94bf4e43880d605438c00db53ec606201a5ca16c0818a410ef
SSDEEP

12288:PTwoa8YEp7/HaJhiy4DKBUx5grFvCkGaR:PTwCp7ki7gUXgp59R

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

RemoteHost

C2

185.140.53.136:1818

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
cos.exe
copy_folder
cos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-K5QS06
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cos\\cos.exe\""	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2172	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2420	2320	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	29
PID 2320 wrote to memory of 2420	2320	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	29
PID 2320 wrote to memory of 2420	2320	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	29
PID 2320 wrote to memory of 2420	2320	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	29
PID 2320 wrote to memory of 1600	2320	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	30
PID 2320 wrote to memory of 1600	2320	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	30
PID 2320 wrote to memory of 1600	2320	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	30
PID 2320 wrote to memory of 1600	2320	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	30
PID 2420 wrote to memory of 2172	2420	cmd.exe	32
PID 2420 wrote to memory of 2172	2420	cmd.exe	32
PID 2420 wrote to memory of 2172	2420	cmd.exe	32
PID 2420 wrote to memory of 2172	2420	cmd.exe	32
PID 1600 wrote to memory of 2300	1600	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	33
PID 1600 wrote to memory of 2300	1600	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	33
PID 1600 wrote to memory of 2300	1600	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	33
PID 1600 wrote to memory of 2300	1600	6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe	33
PID 2300 wrote to memory of 1012	2300	WScript.exe	36
PID 2300 wrote to memory of 1012	2300	WScript.exe	36
PID 2300 wrote to memory of 1012	2300	WScript.exe	36
PID 2300 wrote to memory of 1012	2300	WScript.exe	36

C:\Users\Admin\AppData\Local\Temp\6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe
"C:\Users\Admin\AppData\Local\Temp\6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\b8a88331ed8a4601aa10b60aeec12953.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\b8a88331ed8a4601aa10b60aeec12953.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2172
- C:\Users\Admin\AppData\Local\Temp\6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe
  "C:\Users\Admin\AppData\Local\Temp\6d999f34ce44a0c6de79f8f0d8710df56aea3cef0137d3a23c2876edc86dc5c8N.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cos\cos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b8a88331ed8a4601aa10b60aeec12953.xml

Filesize
1KB

MD5
be41b19449b09c3b8d05e94fd67f19cc

SHA1
484cf23e0aa0eac5bcdd44ab7ff8bc5b6c92597a

SHA256
030a55a58eebe9f9d433bdd9a0236aa27981785b65c57c258653392a22ec6327

SHA512
22d4a51be7cfa357202b86b7d82d2fbee52bf2ee36f53c453924e8e0a78cf1bf95614eb301c6b03785dde31988b420c0b26adb59de3f22abdf8847ac3b84ed7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
406B

MD5
53b5b01ab6df628a783870090504f195

SHA1
4c175a9e57fba856c3926c6017aadb86316eb62a

SHA256
7f45e4f97baaccd07b2134f61c5e702af72f8a0b39cea6b5b4955daa289ed701

SHA512
fcc1948c81aa59ec6f391d47be7fa9160abb835dd584d14b057fbc057ea3ebf2918d660a859ab4b481260e5abee2aaf7fa5ee749097bff6a6f386e4389e1b3ba

Download Submit
memory/1600-5-0x00000000000D0000-0x00000000001D0000-memory.dmp

Filesize
1024KB

Download
memory/1600-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1600-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2320-3-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads