remcos | 34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f

General

Target

34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe
Size

1.2MB
MD5

996a89239876fdbb1cf03d17d092f9cb
SHA1

f068e983f491a47ed418c52ac57e453a043bd9d6
SHA256

34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f
SHA512

dfb8a52574e5d0d5f553334906dd0df5510662bdfe093b85042a66145c33401244f2cb28e51c2231e11fffe49852307751c135aefe55d4330b86ede3894f4a19
SSDEEP

24576:S6inYmOMJ+FU3WZvTS8ms6xAPe635AZx/2l86N:SWmtA63WZ3v6S2635AZMhN

Score

10^/10

remcos host discovery rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

oyo.work.gd:3142

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
pdf
mouse_option
false
mutex
jkm-I9KENP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ios
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3552 set thread context of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93
PID 3552 wrote to memory of 2392	3552	34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe	93

C:\Users\Admin\AppData\Local\Temp\34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe
"C:\Users\Admin\AppData\Local\Temp\34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe
  "C:\Users\Admin\AppData\Local\Temp\34956fb0874a7093f7e246b475a97acc90e312c3c762a09f69d9933b0837f59f.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pdf\logs.dat

Filesize
144B

MD5
5e64d1987bd678b9a0b4d37f6bf23e14

SHA1
9225473a88de83cf8c4129e3b1a28b5f495f921d

SHA256
e8af172bfc3fdb48c6ca62ee47d5cb3113738ad75fe654df1388930e9b0938e9

SHA512
bb9f96426b1c9ad35a540c7e153e98f99e329d0aceb8bf3a8a9d2e0c7b7d1e45b50e1752352294656ac512bbf5a911f8a3009c68e50523f5bfb34d4bc7e109e9

Download Submit
memory/2392-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-15-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3552-10-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-7-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-11-0x0000000006180000-0x0000000006240000-memory.dmp

Filesize
768KB

Download
memory/3552-2-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/3552-1-0x0000000000720000-0x000000000085C000-memory.dmp

Filesize
1.2MB

Download
memory/3552-21-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-9-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/3552-5-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/3552-6-0x0000000005F30000-0x0000000005FCC000-memory.dmp

Filesize
624KB

Download
memory/3552-8-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/3552-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/3552-4-0x00000000053B0000-0x0000000005704000-memory.dmp

Filesize
3.3MB

Download
memory/3552-3-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing