remcos | 6a6694d8f20335031b678ac80057b40fc6b428e9c1eb5c6f013ee8673a3bdec2

General

Target

Purchase_Specifications.xll
Size

89KB
MD5

bd3bc369b662a2a535dc0d2594cd5382
SHA1

4a7fc4e0d97e530c197dee293187b46d3a6545aa
SHA256

6a6694d8f20335031b678ac80057b40fc6b428e9c1eb5c6f013ee8673a3bdec2
SHA512

1f2b27b086650206e5d3d02fd44750d4ab94017a4de310e34134dbcfb48f7afc5b6b0161c05db128b80814156523846e20e4e3e76400c98b8185939006203003
SSDEEP

768:35WNN1P5o3lP+PCp9wDw7/4p8ZrlpDtBUIl3C:35cN3o3lP+PCp9wDherlpfUe

Score

10^/10

remcos oct 28 discovery rat upx

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

remcos

Botnet

OCT 28

C2

myhost001.myddns.me:9373

103.161.133.98:4804

103.161.133.98:9373

myhost001.myddns.me:4804

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-47R6I4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biopsies.vbs	biopsies.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	regasms.exe
2680	biopsies.exe

Loads dropped DLL 7 IoCs

pid	Process
1752	EXCEL.EXE
1752	EXCEL.EXE
1752	EXCEL.EXE
1752	EXCEL.EXE
1752	EXCEL.EXE
1752	EXCEL.EXE
2720	regasms.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2720-59-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/2680-82-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 2884	2680	biopsies.exe	34

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000017481-23.dat	upx
behavioral1/memory/2720-39-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2720-59-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2680-82-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biopsies.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasms.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1752	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2680	biopsies.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1752	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1752	EXCEL.EXE
1752	EXCEL.EXE
1752	EXCEL.EXE
2884	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2720	1752	EXCEL.EXE	32
PID 1752 wrote to memory of 2720	1752	EXCEL.EXE	32
PID 1752 wrote to memory of 2720	1752	EXCEL.EXE	32
PID 1752 wrote to memory of 2720	1752	EXCEL.EXE	32
PID 2720 wrote to memory of 2680	2720	regasms.exe	33
PID 2720 wrote to memory of 2680	2720	regasms.exe	33
PID 2720 wrote to memory of 2680	2720	regasms.exe	33
PID 2720 wrote to memory of 2680	2720	regasms.exe	33
PID 2680 wrote to memory of 2884	2680	biopsies.exe	34
PID 2680 wrote to memory of 2884	2680	biopsies.exe	34
PID 2680 wrote to memory of 2884	2680	biopsies.exe	34
PID 2680 wrote to memory of 2884	2680	biopsies.exe	34
PID 2680 wrote to memory of 2884	2680	biopsies.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Purchase_Specifications.xll
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752
- C:\ProgramData\regasms.exe
  "C:\ProgramData\regasms.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\interseminating\biopsies.exe
    "C:\ProgramData\regasms.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\ProgramData\regasms.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regasms.exe

Filesize
726KB

MD5
85214c3a2da8fec5c286a9062d32a1f5

SHA1
d139edbcf53f44a4bcf9b9a16520d635c4afdf54

SHA256
dd9a066ab1e8fc494004497b180b9b24a27713c2d01cd1a5607ee3218a4625d9

SHA512
055705cc23b090691a9be8ae3da8550655119ad90453aee8e21d4a94b81ea2a5607d39bfacaff6be2d15feab7cba21a9e42c9737e0280dc136980de49a5db29b

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
86cd574043b16b59e67b80d038e1120c

SHA1
495e14fb4fd59ed0e7605da1f952fa0f58e216ee

SHA256
1ae0a079f9fa63aad5c17ee05c77977f6e3f84d2b2ba9748aeee14c8c4088705

SHA512
4fd0fef9968b2239526a8267e907e235a3622e9686465a642004f8905eed09a2fb8ee4cabc0ce9cad20096f7c754ceef21124760b801e485e2abd4aa88b83a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\obtenebrate

Filesize
174KB

MD5
ea96b207a1c01ae9b60ef74d2def8f39

SHA1
7f161627e4324102a5647f877bd54735ba4d906e

SHA256
0bb6e712358b7cfb39631ec5d4568cc2935494e49fc8eb5f2dd3e54172a14aa8

SHA512
a66a7414fdcff3def5702874c1dbe6f0e340bd191be4b5de34baab388fb7bea9f5b04fa1b8ae0a65d9fdf03c336b6516e1fe115af139e7277a254138b7801320

Download Submit
C:\Users\Admin\AppData\Local\Temp\resharpen

Filesize
469KB

MD5
bf7561010dcbd6bc44e61d3d0dda4c13

SHA1
938a63046dfc89be6ffb75c2deb5be11e27b92ee

SHA256
3ff2c0a8f160b05ee9bd665dfecc824cdd30d7aaa4148583c69f8ab87be18334

SHA512
2ec30b73d845b0e03927f4649f786f5518f039159666020ff39654157c4cf9942a90080410e7d2a310928561cc4c3a17bf999eba2e6eb1219d1aad74902fdc65

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase_Specifications.xll

Filesize
89KB

MD5
bd3bc369b662a2a535dc0d2594cd5382

SHA1
4a7fc4e0d97e530c197dee293187b46d3a6545aa

SHA256
6a6694d8f20335031b678ac80057b40fc6b428e9c1eb5c6f013ee8673a3bdec2

SHA512
1f2b27b086650206e5d3d02fd44750d4ab94017a4de310e34134dbcfb48f7afc5b6b0161c05db128b80814156523846e20e4e3e76400c98b8185939006203003

Download Submit
memory/1752-36-0x0000000006A90000-0x0000000006B52000-memory.dmp

Filesize
776KB

Download
memory/1752-26-0x0000000006A90000-0x0000000006B52000-memory.dmp

Filesize
776KB

Download
memory/1752-37-0x000000007209D000-0x00000000720A8000-memory.dmp

Filesize
44KB

Download
memory/1752-51-0x000000007209D000-0x00000000720A8000-memory.dmp

Filesize
44KB

Download
memory/1752-5-0x0000000003D40000-0x0000000003D71000-memory.dmp

Filesize
196KB

Download
memory/1752-2-0x0000000003D40000-0x0000000003D71000-memory.dmp

Filesize
196KB

Download
memory/1752-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1752-1-0x000000007209D000-0x00000000720A8000-memory.dmp

Filesize
44KB

Download
memory/2680-82-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2720-39-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2720-53-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/2720-59-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2884-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-99-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-100-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-102-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-103-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-104-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-111-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-120-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-128-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2884-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads