remcos | bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747

General

Target

bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe
Size

1.1MB
MD5

e244fd43d06ea0f234c71fff8e3f711f
SHA1

a913b51d74327b5fdafa2818acdf72636c3ca20a
SHA256

bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747
SHA512

6af4afb9dbee48c7d6839d445d25abf3816ead782b0514f7e882a2a1d4e4b732b69bd953ef7b88574a3534d331bc0ce06e88d56ebde2988c8e2702cef2fcf823
SSDEEP

24576:uRmJkcoQricOIQxiZY1iaCV/uvPPJUTxDZS4NO7j4MUuvWu:7JZoQrbTFZY1iaCV/uPJoxk4NOIS

Score

10^/10

remcos nov 12 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

NOV 12

C2

leehoi01.ddns.net:9373

103.187.117.76:5584

154.216.18.171:5584

154.216.20.223:5584

leehoi02.ddns.net:9373

areabill.duckdns.org:9373

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KA6I08
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs	outvaunts.exe

Executes dropped EXE 1 IoCs

pid	Process
4960	outvaunts.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023caa-15.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4960 set thread context of 3688	4960	outvaunts.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outvaunts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4960	outvaunts.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3688	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 4960	1704	bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe	86
PID 1704 wrote to memory of 4960	1704	bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe	86
PID 1704 wrote to memory of 4960	1704	bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe	86
PID 4960 wrote to memory of 3688	4960	outvaunts.exe	87
PID 4960 wrote to memory of 3688	4960	outvaunts.exe	87
PID 4960 wrote to memory of 3688	4960	outvaunts.exe	87
PID 4960 wrote to memory of 3688	4960	outvaunts.exe	87

C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe
"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe
  "C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
dfc5d27dc9206ea98bfe0dbe9a1dff6b

SHA1
9e5d586c81bdf2d9e0bfb465ae187cc2511ba4ea

SHA256
65f68756bcace4d9f21a691ba24c47b941b5059581fefc67b50b7e6cf6077fd0

SHA512
56849c87e5b9fec999c98d64f38b2490121f9685942ab978eb0bdf2560855cc736df81715861b33a4f45a9e043f6f04b8b9e639ed436b5d27a7f0de95aa5dbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Allene

Filesize
469KB

MD5
30900a1deec30509b4a27be3b422e1b3

SHA1
e15d5e96d970ab38a853954ddef3248782755586

SHA256
35447f2a393f57c176ef487fc219208bc5df8065ed7720f3d378ad1d7e679a2e

SHA512
79b32a1611c78d639d3ef0fef09d8e1c33051ce05a7d22653be446d36ac291e26892c65fa6f0e7237928ea57a5b1e571a60afe9230498bc5a4961889f886e50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gunfights

Filesize
168KB

MD5
0aba2400129da5292eb797d53eb72dc0

SHA1
c60074617f55450ef74cbfdeef45c4b45736d56a

SHA256
76cf1f1379ae03b203c5446c05a82cc0cfd1dedc27f1f8acac582d047183f278

SHA512
93701f4b62127938d885393823caa0f420c1537f35c65ecee3fa3d2960c20fdd2e1274e6efd4ba46e58282b3b895543672fd92f8c5f67c44cf2ba56338d41634

Download Submit
C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe

Filesize
1.1MB

MD5
e244fd43d06ea0f234c71fff8e3f711f

SHA1
a913b51d74327b5fdafa2818acdf72636c3ca20a

SHA256
bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747

SHA512
6af4afb9dbee48c7d6839d445d25abf3816ead782b0514f7e882a2a1d4e4b732b69bd953ef7b88574a3534d331bc0ce06e88d56ebde2988c8e2702cef2fcf823

Download Submit
memory/1704-11-0x00000000041A0000-0x00000000043A0000-memory.dmp

Filesize
2.0MB

Download
memory/3688-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3688-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4960-29-0x0000000003C40000-0x0000000003E40000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing