remcos | 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f

General

Target

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
Size

981KB
MD5

5609198accfb2ccedb39e7755ed6a36c
SHA1

2bc0ee0e47c40a298038863338c4c07d7029d695
SHA256

06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f
SHA512

f49ad0d40d40f9073a90cabd73065c4d2ab9de0f340dd109196161ad8bcbd2f73917c5232ec752241231df6ce069e5a0503c844f522a3e7c49daa3ed66a290d3
SSDEEP

24576:IAZCJVAeo/UMV0w7KpWXPL8YKSdtJ/JVw6:mPOd8WIYKSdt5

Score

10^/10

remcos host discovery rat

Malware Config

Extracted

Family

remcos

Botnet

Host

C2

oyo.work.gd:3142

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
pdf
mouse_option
false
mutex
jkm-I9KENP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ios
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2956	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	96
PID 2188 wrote to memory of 2956	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	96
PID 2188 wrote to memory of 2956	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	96
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97
PID 2188 wrote to memory of 2896	2188	06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe	97

C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
"C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
  "C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
  "C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pdf\logs.dat

Filesize
144B

MD5
1a81ecd7ffd8d42a3979cd0efa3c5b6b

SHA1
b67035b395ba03d4013de2f582b8ab77f3588ac6

SHA256
f2e9020741e9dce39169363135ef758696de6757e45bfdb4bf4a115637dfd995

SHA512
573b9ef02e6dd7277a9fc32846ef57b96841be79f1c3573bb8579fb6748deb36ff7fb93637d03e919c3cdd5835d64cfacc78d4ee5a9f4aeb5dc267d0c47fc23e

Download Submit
memory/2188-6-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2188-2-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/2188-3-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/2188-4-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/2188-5-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/2188-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2188-7-0x0000000006400000-0x0000000006412000-memory.dmp

Filesize
72KB

Download
memory/2188-8-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2188-9-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2188-10-0x0000000006440000-0x0000000006500000-memory.dmp

Filesize
768KB

Download
memory/2188-1-0x0000000000610000-0x000000000070C000-memory.dmp

Filesize
1008KB

Download
memory/2188-21-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2896-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-35-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2896-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing