remcos | 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f

General

Target

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
Size

981KB
MD5

5609198accfb2ccedb39e7755ed6a36c
SHA1

2bc0ee0e47c40a298038863338c4c07d7029d695
SHA256

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f
SHA512

f49ad0d40d40f9073a90cabd73065c4d2ab9de0f340dd109196161ad8bcbd2f73917c5232ec752241231df6ce069e5a0503c844f522a3e7c49daa3ed66a290d3
SSDEEP

24576:IAZCJVAeo/UMV0w7KpWXPL8YKSdtJ/JVw6:mPOd8WIYKSdt5

Score

10^/10

remcos host discovery rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

oyo.work.gd:3142

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
pdf
mouse_option
false
mutex
jkm-I9KENP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ios
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3060	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30
PID 2068 wrote to memory of 3060	2068	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	30

C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
"C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
  "C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3060

Network

DNS

oyo.work.gd

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Remote address:

8.8.8.8:53

Request

oyo.work.gd

IN A

Response

oyo.work.gd

IN A

154.216.20.185
DNS

geoplugin.net

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Fri, 15 Nov 2024 19:17:26 GMT
server: Apache
content-length: 956
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *

154.216.20.185:3142

oyo.work.gd

tls

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

3.4kB
2.2kB
14
16
178.237.33.50:80

http://geoplugin.net/json.gp

http

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

301 B
1.3kB
5
3

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

oyo.work.gd

dns

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

57 B
73 B
1
1

DNS Request

oyo.work.gd

DNS Response

154.216.20.185
8.8.8.8:53

geoplugin.net

dns

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pdf\logs.dat

Filesize
144B

MD5
000dee2561e80237f5356869c3a98d28

SHA1
f380c5e8dc2134b78a0a20fa94daec14c8649004

SHA256
122bcb5cd915baceb3254a5b789f717012109fa5def5efb8bd0c16aad0ad2d36

SHA512
1c2e078ed4ad2505cdfd5cbb19cd35c5bf41d47da28e523a576298e575373c79740e9c3c9b7e8fe0cf2d14167dc1969863a6015ef923caa880ab72001dc757bc

Download Submit
memory/2068-27-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2068-1-0x0000000000EF0000-0x0000000000FEC000-memory.dmp

Filesize
1008KB

Download
memory/2068-2-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2068-3-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2068-4-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2068-5-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2068-6-0x0000000005160000-0x0000000005220000-memory.dmp

Filesize
768KB

Download
memory/2068-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3060-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-15-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-8-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response